Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security

New IE 8 Zero Day Discovered 134

Posted by samzenpus from the no-shortage dept.
Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."
This discussion has been archived. No new comments can be posted.

New IE 8 Zero Day Discovered More

New IE 8 Zero Day Discovered

Comments Filter:

  • Re:why are they taking so long? (Score:5, Informative)

    by Jumunquo ( 2988827 ) on Wednesday May 21, 2014 @07:57PM (#47061857)

    From ZDI advisory:
    Vendor Contact Timeline:
    10/11/2013 - Case disclosed to vendor
    02/10/2014 - Vendor confirmed reproduction
    04/09/2014 - Original predicted disclosure (180 days)
    05/08/2014 - ZDI notified the vendor of the intent to publicly disclose
    05/21/2014 - ZDI publicly disclosed

    Took them 3 months to reproduce and then, even after confirmation, they just ignored ZDI!

  • Re:American Date Format (Score:5, Informative)

    by harperska ( 1376103 ) on Wednesday May 21, 2014 @09:29PM (#47062403)

    Not exactly fair to call out how an attack on Americans, done on American soil, which has become culturally and politically significant to Americans is generally referred to by the American format, as an argument that the American format has universal appeal.

  • Re:American Date Format (Score:5, Informative)

    by compro01 ( 777531 ) on Wednesday May 21, 2014 @11:44PM (#47062931)

    I'd be OK with the un-american format if the year came first - because you could do a standard dictionary sort to get the right order (assuming padding with leading zeros):

    That's what ISO 8601 specifies. YYYY-MM-DD.

  • Re:IE EIGHT? (Score:4, Informative)

    by xlsior ( 524145 ) on Thursday May 22, 2014 @01:48AM (#47063353) Homepage
    So use Firefox or Chrome. No big deal.

    Even if you never consciously launch IE, it doesn't mean you're safe: the IE rendering engine is used behind the scenes by a ton of other Microsoft and 3rd party applications as well, each of which is a possible attack vector as long as the IE vulnerability exists on the system.

Slashdot Top Deals

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Close