Microsoft Urges IE 8 Users to Upgrade to Avoid New Security Flaw

Microsoft (MSFT) has advised Internet Explorer (IE) 8 browser users to upgrade to a newer version to dodge a new zero-day security vulnerability, first discovered last October, until the vendor issues a patch to correct the flaw.

Net Applications’ April 2014 data estimates IE 8 still holds a 21 percent stake of the worldwide browser market.

Microsoft was advised last October of the security flaw, which enables remote cyberattackers to take control of a user’s computer, according to Hewlett-Packard’s (HPQ) Zero Day Initiative (ZDI). Researcher Peter Van Eeckhoutte discovered the IE 8 security vulnerability.

In keeping with its policy, ZDI waited some six months after informing Microsoft of the defect before publishing details of the security flaw, ostensibly to give the vendor enough time to patch it. ZDI said it informed Microsoft May 8 that it planned to release details of the security flaw May 21. According to ZDI, the defect first was disclosed to Microsoft Oct. 11, 2013.

To execute the bug, an IE 8 user has to click on an infected website or lure them into opening an attachment or clicking on a malicious link. A succesful intrusion would give the attacker the same rights to the machine as the current user, ZDI said.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” ZDI said. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

In its advisory, ZDI said that “an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities.”

A Microsoft spokesperson said no incidents related to the new IE security defect had affected its customers to date.

"We build and thoroughly test every security fix as quickly as possible,” the spokesperson said. “Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”