No Patch for Internet Explorer 8 Bug Yet

Patch for Internet Explorer 8

While there might not be a patch for Internet Explorer 8 bug yet, the current version of IE is at version 10, we can help you understand what’s happening. What do you have to worry about? In a nutshell, it’s because IE8 is the most popular and most-widely installed version of Microsoft’s web browser. Far more computers around the country and the world have this version installed, rather than IE9 or IE10.

Microsoft Has Known About It Since 2013

The worst thing about this particular bug is that Microsoft has known about it for seven months. It was discovered by a Belgian researcher by the name of Peter Van Eeckhoutte. When he found it, he immediately reported it to an international clearinghouse for exploits and bugs known as the Zero Day Initiative (ZDI), run by HP’s Tipping Point.

When someone reports a bug or exploit to ZDI, they immediately report it to the vendor, or maker, of the software product. They then hush it up, keep it quiet for 180 days (three full months) before putting out a press release about the bug so people know to update their software as soon as possible. However, Microsoft hasn’t released a patch for Internet Explorer 8 that addresses or fixes the issue yet. That’s a problem when so many users might be vulnerable to the exploit. ZDI reported this bug back on October 11, 2013.

Microsoft acknowledged the bug report back in February, well after it was reported to them. Normally they are fairly diligent in researching and fixing bugs in their products. However, we’ve had three Patch Tuesdays (the first Tuesday of every month is Patch Tuesday, when Microsoft releases patches and major updates to users worldwide) since they acknowledged that there is a problem with their product.

According to Microsoft, they have not seen this bug actively being exploited. This is probably why they haven’t (and most likely won’t) put together a fix for the bug.

What Systems Might Be Affected by This Bug?

As I mentioned above, Internet Explorer 8 is the most-widely used browser in the world, with a 20.85 percent market share globally. That market share jumps to 27 percent if only machines running some version of Windows are counted. That’s a huge number of compromised systems.

IE8 was released back in 2009 and was the first version of the browser to work in Windows XP. However, XP isn’t the only version of Microsoft’s flagship product that will run it. Users of Vista, Windows 7, and Windows Server 2003 and 2008/2008 R2 are all vulnerable.

How Does This Bug Work?

This bug creates an exploit in IE8 that can only be exploited with a little user intervention. This means you have to go to a site that has some malicious code on it, or you have to open a file with the malicious code in it. Once the malicious code is activated, JavaScript takes over. Yep. That’s right, it’s basically another flaw in Java, but it requires IE8 and only IE8 to work.

After the execution of a particular piece of JavaScript code, a call known as “CollectGarbage” is made. Now an attacker can manipulate certain elements of a document, to cause certain things to happen. Exactly what is done and what happens is the topic for a Java programming class. Let’s just say that it causes certain processes to be initiated, but to not complete fully. This allows them (the bad guy) to run code on your machine and causes your machine to think that those new processes are genuine and part of the current authorized process.

So, Why No Patch for Internet Explorer 8?

Other than the “We don’t see it” reply from Microsoft, there hasn’t been much response from them to queries about this bug. I can’t even get friends that work for the Redmond behemoth to talk to me about it. The way I see it, IE8 is an older product and Microsoft wants everyone to upgrade and start using at least Internet Explorer 9, if not IE 10. In fact, in the only other reply to the issue that I’ve seen, Microsoft stated they “encourage customers to upgrade to a modern operating system (such as Win 7 or 8/8.1) and a newer version of Internet Explorer.

Stepping Back to the “How Does It Work?” Question for a Minute

Going back to the question about how this bug works, or what is involved in getting someone to activate the exploit, it isn’t as tough as it may seem. Those looking to target people are inserting the necessary malicious code in things like image and sound files and then posting them to the web, especially to public contributor sites (yeah, I mean sites like Flickr and others).

What Can You Do to Protect Yourself?

In order to protect yourself from this specific bug/exploit, you have two basic choices. You can either stop using Internet Explorer all together like me, or you can choose a newer version of it. There are numerous web browsers to choose from. Chrome is an excellent choice, for one. Personally, I use Nightly, the 64-bit version of Firefox developed by the Mozilla group. Apple users will be intimately familiar with Safari, and it’s also available for Windows machines. Another one of my favorites is Opera. Unfortunately, there are still far too many websites out there that are written specifically for IE and Firefox that won’t work properly with anything but one of those two browsers.

If you don’t use Internet Explorer, what browser do you use and why? Leave me a comment below and let me know.

Photo Credit: Ola Stoe