An unpatched zero-day use-after-free remote code execution vulnerability affecting Internet Explorer 8 (IE8) was publicly disclosed on Wednesday US time by the Zero Day Initiative (ZDI) because it has been more than six months since the flaw was initially reported and Microsoft has yet to issue a fix.
The vulnerability can be exploited if a target visits a malicious website or opens a malicious file, which enables an attacker to execute arbitrary code in IE8 and gain current user rights on the system, according to a Wednesday post on the ZDI website, which is more of an advisory than a step-by-step guide.
The vulnerability lies within the handling of CMarkup objects in IE8, according to the post, which explains that it is ZDI policy to disclose vulnerabilities after flaws have been issued a patch, or 180 days after the bug is reported to the vendor.
This IE8 zero-day vulnerability was discovered by Belgian researcher Peter Van Eeckhoutte and was initially reported to Microsoft on Oct. 11, 2013, according to the post, which adds that Microsoft confirmed reproduction of the exploit on Feb. 10.
The advisory does not make it easy to reproduce the exploit, Van Eeckhoutte, founder of the Corelan Security Team, wrote in a Thursday post on the Corelan website – but the Belgian researcher added that the threat is still fairly significant.
In a Friday email correspondence with SCMagazine.com, Pedro Bustamante, director of special projects with Malwarebytes, agreed with Van Eeckhoutte.
“It could be possible that other researchers or even criminals have also found the same vulnerability and are using it in targeted attacks,” Bustamante said. “There is no way of knowing this other than Microsoft's confirmation that it is not seeing any attacks on their customers for now.”
But a lot of customers could be at risk – potentially in the hundreds of millions, Bustamante said, explaining that the market share for IE8 is between 20 percent and 24 percent, or one-fifth to a quarter of the entire population of Internet users who browse from PCs.
According to the ZDI post, some of Microsoft's suggested “workarounds” include putting security zone settings on high to block ActiveX Controls and Active Scripting, configuring IE to prompt before running Active Scripting, and installing the Enhanced Mitigation Experience Toolkit, which mitigates the flaw.