Microsoft has yet to patch 7-month old Internet Explorer zero-day vulnerability

Internet Explorer
Internet Explorer gets another vulnerability

Nearly eight months after the security company TippingPoint informed Microsoft of a vulnerability affecting its web browser, Internet Explorer, the company has yet to issue a patch to quash that flaw.

The case was disclosed to Microsoft in October 2013 and has been made public by TippingPoint's Zero Day Initiative website on Wednesday. Only Internet Explorer 8, which was launched back in 2009 and came with Windows 7, is affected.

It is still by far the most popular browser in the world according to web analytics company, NetMarketShare, with nearly a fifth of the global market, which means that widespread attacks could take place.

Time to move to another browser?

To make matters worse, it is the most recent web browser available from Microsoft for Windows XP, which could pave the way for multi-pronged attacks. "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations", says the description on ZDI's website.

It adds "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." To Microsoft's credit though, it did come back with ways to reduce the risk of an attack.

Setting Internet security zone settings to high might help, as configuring IE to prompt before running Active Scripting and installing its Enhanced Mitigation Experience Toolkit.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.