Microsoft has confirmed it is working on a fix for a critical vulnerability in its Internet Explorer 8 web browser, following the flaw’s public disclosure by researchers at the Zero Day Initiative (ZDI).
The flaw came to light after the researcher who found it revealed Microsoft had not patched the problem within 180 days of being informed, thereby allowing ZDI to make information public under its own guidelines.
Despite the lengthy wait for a fix, a Microsoft spokesperson told V3 the company is aware of the flaw and is working to fix it, but added it is yet to uncover any evidence it is being actively exploited.
“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers. We build and thoroughly test every security fix as quickly as possible,” said the spokesperson.
“Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers.”
The vulnerability was disclosed by the ZDI earlier this week and could theoretically be exploited by hackers to infect machines running the web browser with malware. The researchers claim they privately reported the bug to Microsoft on 10 November 2013.
Microsoft added that while the company is going to fix the bug, to remain truly secure users should upgrade to a newer version of Windows and IE.
“We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which includes further protections,” said the spokesperson.
Microsoft has been calling for users to upgrade to new Windows versions since it officially ceased support for its 13-year-old Windows XP operating system in April. The cut-off means Microsoft will not officially issue security fixes for newly found vulnerabilities on XP.
Microsoft was forced to issue an emergency XP fix, despite the official cut-off, when a separate zero-day vulnerability was discovered in IE earlier in May.
Meanwhile, the researcher who originally found the flaw defended Microsoft for taking its time on the fix, saying there could well be a good reason for the delay.
“The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason,” he wrote in a blog post.
“Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.
“In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers.”
23 May 2014 | 1:03 pm – Source: v3.co.uk