ie8icon1Internet Explorer 8 remains the most used browser version in the world, so it should come as a surprise that a vulnerability discovered back in October 2013 has remained unpatched.  The vulnerability was made public earlier this week by Hewlett-Packard’s bug bounty program when Microsoft failed to address the problem.

Hewlett-Packard’s Tipping Point Zero-Day Initiative (ZDI) is a bounty program that rewards researchers who discover and report vulnerabilities so that they can be fixed by Microsoft.  The ZDI gives Microsoft 180 days to address a vulnerability before they make the information public.  In this way, the ZDI incentives Microsoft to address problems quickly, but doesn’t put users in unneeded danger.  Or at least, that is normally how it works.  Unfortunately, Microsoft has acknowledged the vulnerability, but does not consider it a priority.  A Microsoft spokesperson had this to add:

“We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”

While Microsoft has stated that the vulnerability is not currently affecting any of its customers, the fact that it exists and is now in the public eye means there is reason to be concerned.  The vulnerability allows for what is known as a “drive-by download”; it means that when a user visits a website, the website can automatically download a file (malware) without consent or knowledge.  Knowing that the vulnerability exists and is part of such a popular browser version, it is very likely that cyber criminals will attempt to exploit the vulnerability in the near future.

Internet Explorer 8 was the last Microsoft browser version to be supported by Windows XP.   This means that if you have yet to upgrade to a more modern operating system you are very likely in danger of this particular exploit.  Even if you have upgraded, the discovery of this exploit illustrates the importance of maintaining regular updates for your computer systems.  Internet Explorer has gone through three iterations since IE8 and XP compatibility aside; there is no reason not to upgrade to the latest and most secure version.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer