The Zero Day Initiative (ZDI) program reported a vulnerability affecting Internet Explorer 8 more than 7 months ago without receiving any security fix from Microsoft, and therefore decided to go public with the vulnerability. This means that the vulnerability dates all the way back to October 2013 and may prove critical since it would allow experienced users to install malicious code on workstations in order to take full control of them. This vulnerability is all the more critical when you consider that IE8 represents 20% – even today – of Internet Explorer usage worldwide. For a hacker to exploit this flaw, he would need to trick his potential victim into visiting a website that has been specially crafted for this purpose, in IE8 of course. Conventional methods (phishing e-mails, instant messages containing fraudulent links etc) may help a hacker to launch his attack.
This vulnerability was discovered in October 2013 by Peter Van Eeckhoutte, a Belgian researcher, during the Zero Day Initiative program. Microsoft has communicated on the subject by affirming that the security patch applied at the beginning of the month provides protection from this vulnerability. Nonetheless, nothing has been done for Windows XP, which has stopped being supported since April this year. Arkoon+Netasq’s ExtendedXP enables the protection of Windows XP workstations using Internet Explorer 8 from this critical vulnerability.