When a widely used browser is found to have a bug that hackers could exploit to hijack computers, you expect the vendor to do something about it as quickly as possible. The problem is that putting out a patch can be a pretty complicated operation and vendors can’t always respond as quickly as users would like.
Microsoft has announced that it plans to patch a remote code-execution vulnerability detected several months ago in version 8 of its Internet Explorer browser.
The bug was brought to Microsoft’s attention last October by Zero Day Initiative (ZDI), a Hewlett-Packard Co. (Nasdaq: HPQ) security group and website. On its site, ZDI says says the bug “allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer.” Users have to visit a malicious web page or open a malicious file to enable the code execution.
Once it notifies software vendors that it has found a bug in one of their products, ZDI waits 180 days to give the vendor time to issue a patch. If nothing has happened by then ZDI goes public with the information.
As reported in an Ars Technica story on the bug, Microsoft said it hadn’t detected any attacks that use the vulnerability, which ZDI defines as a “Cmarkup use-after free remote code execution vulnerability.” The company noted that some patches take a longer time to put together and that each must be tested against a wide range of programs, applications and configurations.
“Despite huge leaps in secure code, nothing is immune when hackers are motivated,” Ars Technica’s Dan Goodin writes.
“We continue working to address this issue and will release a security update when ready in order to help protect customers,” Microsoft announced.
So far there’s no sign that the bug has been put to malicious use. Although a high number of users are still using the vulnerable IE8, Ars Technica says it’s likely that many are running Windows XP, which is no longer updated.
“Microsoft didn’t say exactly why it hasn’t assigned a higher priority to issuing a patch for a bug, but it wouldn’t be surprising if both of these considerations were involved.”
The ZDI report on the bug says Microsoft (Nasdaq: MSFT) has recommended users adopt the following workarounds:
- set Internet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones;
- configure IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone;
- those using apps that work only with IE8 should install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which adds security technologies for older software.
And of course users who can should upgrade to IE11, which has stronger security.
Microsoft’s next “Patch Tuesday” is scheduled for June 10.