Menu
Microsoft will patch IE zero day but doesn't give timeline

Microsoft will patch IE zero day but doesn't give timeline

Attackers are probably trying to develop exploit code, the CTO of Qualys says

Microsoft said Thursday it plans eventually to patch a vulnerability in Internet Explorer 8 that it's known about for seven months, but it didn't say when.

A security research group within Hewlett-Packard called the Zero Day Initiative (ZDI) released details of the flaw on Wednesday after giving Microsoft months to address it. The group withholds details of vulnerabilities to prevent tipping off hackers but eventually publicizes its findings even if a flaw isn't fixed.

Microsoft said it had not detected attacks that used the vulnerability, which is a "use-after-free" flaw, which involves the handling of CMarkup objects.

The company did not give a reason for the long delay but said in a statement that some patches take longer to engineer and that "we must test every one against a huge number of programs, applications and different configurations."

"We continue working to address this issue and will release a security update when ready in order to help protect customers," it said.

To exploit the flaw, an attacker would have to convince a user to visit a malicious website. If the attack were successful, a hacker would have the same rights as the victim on the computer and could run arbitrary code.

Microsoft's next patch release, known as "Patch Tuesday," is scheduled for June 10. It occasionally issues an emergency patch if a vulnerability is being widely used in attacks.

Wolfgang Kandek, CTO of Qualys, wrote that exploit developers are probably studying ZDI's advisory to try to develop an attack.

"We do not know how quickly an exploit will be released, but the remaining time to Patch Tuesday is not that long," he wrote.

The Belgian researcher who found the flaw, Peter Van Eeckhoutte, wrote on his blog on Thursday that although Microsoft has known of the bug for a long time, "I don't believe this is an indication that Microsoft is ignoring bug reports or doesn't care about security at all, so let's not exaggerate things."

"In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers," he wrote. "But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days."

In its advisory, ZDI recommended that users set the Internet security zone settings in IE 8 to "high," which blocks ActiveX controls and Active Scripting. Also, using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) would provide more defense, it wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityExploits / vulnerabilitiesHewlett-Packard

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments