A critical security flaw in Microsoft’s Internet Explorer 8 has gone unfixed since October 2013, according to a new report by HP’s Zero-Day Initiative.
Although IE8 is five years old, it still holds a 20% share of the desktop browser market, according to statistics from Net Applications.
The ZDI rewards security researchers for finding flaws and publishes information on zero-day flaws or unpatched, previously unknown threats if they go unfixed by the software maker for more than 180 days.
The flaw was discovered by Belgian researcher Peter Van Eeckhoutte and allows an attacker to run malicious code in IE8 if a user can be lured to a malicious site designed to exploit the flaw, the ZDI said.
This could be accomplished by sending the victim an email containing a link to such a malicious site and, if successful, the hacker would have the same user rights on the computer as the victim.
The ZDI report on the flaw within the handling of CMarkup objects comes just weeks after Microsoft was forced to issue an emergency patch for a flaw that affected IE 6 to 11.
The patch was released within a week and fixed a vulnerability that could also allow attackers to execute code remotely if the victim visited a compromised or specially crafted malicious website.
Microsoft has not given any reason for the delay in patching this latest vulnerability to be made public, but said it not seen an active exploit of the flaw, according to CNET.
The software company recommended users of IE 8 set Internet security zone settings to “high” to block ActiveX Controls and Active Scripting and configure IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
Microsoft also said users of IE8 should install the Enhanced Mitigation Experience Toolkit (EMET), a free Windows-based security tool that adds supplemental security defences.
Read more on IE vulnerabilities
Microsoft offers temporary fix for Internet Explorer zero-day
Locking down Internet Explorer settings with Group Policy in IE 11
Microsoft patches vulnerabilities in Internet Explorer, Exchange
Microsoft offers ‘fix’ for latest Internet Explorer zero day
Critical RDP, Internet Explorer fixes included in Patch Tuesday update
Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday
Microsoft fixes critical issues in Internet Explorer, Windows Kernel
City University London explores multi-sensory human communication via mobile
Microsoft issues emergency security update for Internet Explorer
New zero-day vulnerability targets Internet Explorer users
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK