Serious Internet Explorer Flaw Affects XP, Goes Unpatched

By Tom's Guide / Jill Scharr May 22, 2014 5:49 PM

Serious Internet Explorer Flaw Affects XP, Goes Unpatched

UPDATE: This story has been updated to include Microsoft's statement that it will patch this Internet Explorer 8 flaw eventually.
Internet Explorer 8 allegedly has a serious security flaw that would allow an attacker to remotely take control of a user's computer. And since Windows XP users can't upgrade to a more modern version of the popular browser and won't be receiving any more official security updates, it's XP users who are most at risk.

What's more, Microsoft allegedly knew about this flaw back in October, and did nothing, according to Zero Day Initiative, an HP-sponsored program that rewards security experts for finding software flaws. Since that time, Microsoft has stopped issuing security updates for Windows XP and all programs for that operating system, effectively leaving XP users stuck with a flaw it allegedly had time to fix.

MORE: Best Antivirus Software 2014

Discovered by Belgian security researcher Peter Van Eeckhoutte of ZDI, this IE 8 bug reportedly has to do with remote code execution, which is when criminals seize control of an affected computer, allowing them to download malware without the user's knowledge.

To do so, the criminals would have to trick users into using IE 8 to visit a webpage infected with specially crafted malware designed to seek out and exploit this specific flaw.

IE 8 is the only version affected by this flaw. Microsoft might still patch IE 8 on its more recent operating systems such as Vista, but it's unlikely that the XP version of IE 8 will ever get another security update, and XP is where IE 8 is most widely used.

On April 8 Microsoft issued its final security patches for Windows XP, including patches for other IE flaws. Even after that, Microsoft released one more emergency patch for Internet Explorer 6 through 11, including Internet Explorer 8 on Windows XP, which addressed a different zero-day flaw.

ZDI says that on May 8 it told Microsoft that it would go public with the Internet Explorer 8 flaw it found. Today it did so, posting an advisory on its website.

The Internet Explorer 8 issue is a "use-after-free" flaw, which has to do with memory allocation. In IE 8, it pertains to the way the browser handles CMarkup objects.

Despite being no longer supported, an estimated 20 to 30 percent of users worldwide still use Windows XP. That means a good number of them use IE 8, the default browser on that system.

If you're still using Windows XP and you can't update for whatever reason, you should stop using Internet Explorer. Instead, use a browser such as Chrome, Firefox or Aviator, all of which continue to support their XP versions.

You should also be hyper-vigilant about any kind of suspicious emails, hyperlinks or popup advertisements. Do not click on anything unless you trust its source.

UPDATE: Microsoft said in an official statement Thursday that it will patch this IE 8 flaw, but it didn't give a timeline. Microsoft did say that it's not aware of any exploits using this bug to date—though now that the bug is public that's more than likely to change.

"We build and thoroughly test every security fix as quickly as possible," Microsoft's statement reads. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers."

In the meantime, Microsoft's advice is to update to a more recent version of Internet Explorer. People using Windows XP, who can't upgrade past IE 8, are encouraged to upgrade to a more recent operating system.

http://news.yahoo.com/serious-internet-explorer-flaw-affects-214954956.html