[by ZDI] is an advisory not an exploit
[emphasis in original
],” he said, adding that “IE8 is affected and arbitrary code execution is definitely possible.”
The latter means that if hackers could pinpoint the vulnerability given the sketchy details disclosed by ZDI, write a workable exploit and then dupe IE8 users into visiting a malicious or compromises website, the cyber criminals could hijack the PC and plant malware on it, pilfer its secrets and use it as a bot for further mischief.
ZDI has more than 100 unpatched vulnerabilities in its queue of reported-but-not-patched bugs, including 25 whose 180-day deadline has come and gone. So why announce the IE8 vulnerability?
ZDI’s manager, Brian Gorenc, did not directly answer that question today. “In certain cases, ZDI may decide to delay posting details on a vulnerability if it’s in the best interest of the public and the vendor is actively working to push out a patch near the end of the disclosure timeline,” Gorenc said in an email.
He also denied that ZDI was in some way picking on Microsoft. “We treat all vendors equally when it comes to granting extensions and releasing zero-day advisories,” Gorenc wrote.
But by revealing that IE8 has an unpatched vulnerability, one seven months old to boot, ZDI at the least caused Microsoft some embarrassment.
That’s warranted, ZDI believes, or it would not have its 180-day — and now a 120-day — deadline for patching. The whole idea of a deadline is to pressure vendors into patching as quickly as possible.
Which is not only a good thing, said Van Eeckhoutte, but the way things should work. “I am worried, too, about a 180-day delay to get a bug fixed,” he said. “But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days.”
Internet Explorer 8 remains the most-used Microsoft browser, although the newer IE11 is quickly gaining ground. (Data: Net Applications.)
Microsoft gave no hint today about when it would patch the IE8 bug — which ZDI said it had confirmed was exploitable on Windows XP and Windows 7 — or what had kept it from fixing the flaw.
“We build and thoroughly test every security fix as quickly as possible,” Microsoft said. “Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations.”
Even when Microsoft patches IE8, it will not issue a fix for the browser on Windows XP, as the 13-year-old OS has exhausted its support. Microsoft retired XP on April 8, but made an exception May 1 when it released a patch for IE on XP. There seems little chance it will make more exceptions.
In lieu of a patch, Windows users, including those running XP, can take several defensive steps, including restricting IE’s Active Scripting and installing Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) utility. Microsoft provided those recommended steps to ZDI, which included them in its advisory.
Although EMET was originally designed for enterprises and advanced Windows users, Microsoft has been urging other customers to install the toolkit as an important anti-exploit defense.
“EMET will prevent the [proof-of-concept] exploit from achieving arbitrary code execution,” said Van Eeckhoutte. “In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints. This case simply re-enforces this. EMET won’t stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you’re serious about security, install it.”
EMET works on Windows XP, and can be downloaded from Microsoft’s website.
IE8 remains the most popular version of Internet Explorer, even though it has been superseded by three newer editions. According to Web metrics company Net Applications, IE8 accounted for 36% of all versions of Microsoft’s browser in use last month. The newest, IE11, came in second with a 28.7% share.
Microsoft’s next regularly-scheduled security updates will be released on June 10.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed . His email address is firstname.lastname@example.org.
See more by Gregg Keizer on Computerworld.com.