Microsoft fails to patch critical flaw in Internet Explorer

Security flaw

A critical flaw in an older version of Microsoft's Internet Explorer has gone unpatched, despite Redmond being warned of it last year.

HP's Zero Day Initiative (ZDI) site outlines how the exploit, which could allow attackers to control a user's computer, was discovered by a Belgian researcher in October 2013. ZDI has a policy of disclosing publicly any vulnerability that goes unpatched for six months or more.

Internet Explorer 8 still commands a fifth of the desktop browser market despite being five years old.

The flaw is exploited when a user connects to a malicious website or downloads an unknown file, allowing an attacker to execute arbitrary code that gives them control.

The attacker has no way to force the victim to visit the website and so has to convince them, usually in an email attachment or link. Once fully the browser's code is compromised, the attacker would then gain the same user rights as the victim.

If the target is an IT administrator it could give the hacker access to any number of sensitive files.

IE 8 is also the most recent browser version available for out-of-date operating system Windows XP. As cybercriminals create new ways to attack the long-standing OS, multiple attacks could be initiated via this one exploit.

Microsoft left no comment on the disclosure, but recommended that users security settings be moved to "high" in order to block unknown scripting in malicious websites. IE customers should also ensure that prompts are enabled, it said, to warn potential victims before script action is taken through the browser.

ZDI informed Microsoft of its intention to publish the issue at the beginning of the month, but received no reply from the software giant.