Microsoft hasn't fixed a critical IE8 security flaw that was reported to the company back in October 2013, according to an advisory published yesterday by HP’s Zero Day Initiative (ZDI). The bug was discovered by Belgian researcher Peter Van Eeckhoutte.
According to the report, the bug allows an attacker to execute malicious code on computers running IE8 when users visit a website designed to exploit it. This could be done by sending the victim an email or instant message that, if clicked, would lead to the attack.
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user", the report said.
ZDI is a program that rewards computer security researchers for identifying software bugs. Information on a security flaw is kept secret for a period of six months so a software vendor can patch it. ZDI said it had told the software giant on May 8 that it intended to publish details of the flaw.
Although the reason behind Microsoft's decision to leave the flaw unpatched remains unclear, the Redmond-based company said it is yet to see an active exploit of the zero-day flaw.
Microsoft recommended that people using the affected browser set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting, and install its Enhanced Mitigation Experience Toolkit (EMET).
The disclosure comes on the heels of a major zero-day exploit that affected IE 6 through 11. The bug forced Microsoft to release an emergency patch a few days later.