Microsoft is finally getting around to fixing a 7-month-old IE8 security bug

There’s a zero-day security flaw in Internet Explorer that’s been known for at least the last 7 months, yet Microsoft has yet to release a patch. Perhaps it never will – after all, IE8 is the last version of Microsoft’s browser to support Windows XP, which itself is now an unsupported operating system. Alternately, Microsoft might just be having a really tough time with this one – the Redmond outfit doesn’t have a whole lot to say on the matter. According to Zero Day Initiative, the vulnerability allows remote hackers to execute arbitrary code on vulnerable installations. 

Microsoft plans to fix a vulnerability in version 8 of its Internet Explorer browser that allows attackers to remotely hijack computers that do nothing more than visit a booby-trapped website. Details of the critical “use after free” security bug werepublished Wednesday by Zero Day Initiative (ZDI), the Hewlett-Packard owned group that sponsors the regularly occurring Pwn2Own hacking contest. The group, which buys vulnerabilities so it can protect customers from attacks that exploit them, has a policy of keeping bug details confidential until a patch is released or until 180 days after purchase, whichever happens first. ZDI notified Microsoft of the bug in October after acquiring it from whitehat researcher Peter “corelanc0d3r” Van Eeckhoutte of Corelan. In a statement issued to media outlets, Microsoft said some patches take longer to develop than others and that “we must test every one against a huge number of programs, applications and different configurations,”according to IDG News. “We continue working to address this issue and will release a security update when ready in order to help protect customers.”