Microsoft Intentionally Failing to Patch Critical Vulnerability in Explorer IE 8

The Zero Day Initiative (ZDI) has revealed a critical vulnerability in Microsoft Explorer 8 (IE 8) that Microsoft was first alerted to more than 7 months ago, and never bothered to issue a patch for or to fix. Here’s the scoop, and what to do to protect yourself from the CVE-2014-1770 vulnerability.

The CVE-2014-1770 vulnerability was first reported by Belgian-born security researcher Peter Van Eeckhoutte (who goes by the handle ‘corelanc0d3r’) back in the first half of October, 2013, and it was reported to Microsoft shortly thereafter.

As ZDI explains on their page regarding the IE 8 CVE-2014-1770 vulnerability, “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” ZDI said on its vulnerability details webpage. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”

According to ZDI, not only was the vulnerability reported to Microsoft back in October, but in early February Microsoft confirmed that they were able to reproduce the exploit.

So in more than 7 months, Microsoft has failed to address the vulnerability, even after confirming it for themselves. ZDI has a policy of revealing security holes that remain unaddressed for more than six months. We can hope that this will force Microsoft to address the issue, as apparently their reason for not addressing the issue and fixing the vulnerability is that nobody has reported anybody exploiting it.

Says Marta Janus, a researcher with Kaspersky Labs, “Not having identified any malware in the wild that exploits this vulnerability is a poor excuse for not patching it. The fact that, as of yet, no attacks have been discovered doesn’t necessarily mean that there haven’t been any at all.”

“In today’s world of surgical, targeted attacks there is no way to keep track of all security breaches occurring around the world, and plenty of incidents remain undetected for a long time. However, even if we assume that such a vulnerability hasn’t yet been exploited, that doesn’t mean that it won’t be in the future,” added Janus.

Microsoft has suggested workarounds says ZDI, although that is no substitute for fixing the issue. Those workarounds include:

– Setting your Internet security zone settings to “High”

– Configuring IE to prompt you before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

– Installing the Enhanced Mitigation Experience Toolkit (EMET), which allows you to “manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software.”

Says Kaspersky’s Janus, “Microsoft’s position on the case of the IE8 vulnerability seems surprisingly irresponsible. Of course, there are some flaws that are far more difficult to patch than others and sometimes it requires time and resources that would be better spent on fixing issues in more current versions of a product. But following the disclosure, IE8 users are actually far more likely to be at risk.”

You can read more about CVE-2014-1770 from Peter Van Eeckhoutte (corelanc0d3r) here.

14
Get notified of new Internet Patrol articles!
Summary
Microsoft Intentionally Failing to Patch Critical Vulnerability in Explorer IE 8
Article Name
Microsoft Intentionally Failing to Patch Critical Vulnerability in Explorer IE 8
Description
A known flaw in IE 8 was never patched by Microsoft, say experts. Here's the scoop, and what to do to protect yourself from the CVE-2014-1770 vulnerability.
Author

Leave a Reply

Your email address will not be published. Required fields are marked *