An HP bug bounty program yesterday published information about a critical vulnerability in Internet Explorer 8 (IE8) because Microsoft did not meet its patch-or-we-go-public deadline.
HP TippingPoint's Zero Day Initiative (ZDI) revealed some details about the vulnerability Wednesday in an online advisory after its 180-day grace period had expired without Microsoft providing a patch to customers.
The bug, which was reported to ZDI by Belgium security researcher Peter Van Eeckhoutte, was handed to Microsoft on Oct. 11, 2013. At the time, ZDI had a 180-day patch policy: If the vendor did not patch the vulnerability in that time, or failed to explain why it could not, ZDI would go public with the flaw.
Since then ZDI has shortened the window to 120 days for all submissions after March 1, 2014.
The flaw has not been seen exploited in the wild, according to Microsoft, which confirmed the vulnerability.
"We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers," said a company spokeswoman in an email today.
Van Eeckhoutte echoed some of that in a blog post of his own today. "What was published [by ZDI] is an advisory not an exploit [emphasis in original]," he said, adding that "IE8 is affected and arbitrary code execution is definitely possible."
The latter means that if hackers could pinpoint the vulnerability given the sketchy details disclosed by ZDI, write a workable exploit and then dupe IE8 users into visiting a malicious or compromises website, the cyber criminals could hijack the PC and plant malware on it, pilfer its secrets and use it as a bot for further mischief.
ZDI has more than 100 unpatched vulnerabilities in its queue of reported-but-not-patched bugs, including 25 whose 180-day deadline has come and gone. So why announce the IE8 vulnerability?
ZDI's manager, Brian Gorenc, did not directly answer that question today. "In certain cases, ZDI may decide to delay posting details on a vulnerability if it's in the best interest of the public and the vendor is actively working to push out a patch near the end of the disclosure timeline," Gorenc said in an email.
He also denied that ZDI was in some way picking on Microsoft. "We treat all vendors equally when it comes to granting extensions and releasing zero-day advisories," Gorenc wrote.
But by revealing that IE8 has an unpatched vulnerability, one seven months old to boot, ZDI at the least caused Microsoft some embarrassment.
That's warranted, ZDI believes, or it would not have its 180-day -- and now a 120-day -- deadline for patching. The whole idea of a deadline is to pressure vendors into patching as quickly as possible.
Which is not only a good thing, said Van Eeckhoutte, but the way things should work. "I am worried, too, about a 180-day delay to get a bug fixed," he said. "But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days."
Internet Explorer 8 remains the most-used Microsoft browser, although the newer IE11 is quickly gaining ground. (Data: Net Applications.)
Microsoft gave no hint today about when it would patch the IE8 bug -- which ZDI said it had confirmed was exploitable on Windows XP and Windows 7 -- or what had kept it from fixing the flaw.
"We build and thoroughly test every security fix as quickly as possible," Microsoft said. "Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations."
Even when Microsoft patches IE8, it will not issue a fix for the browser on Windows XP, as the 13-year-old OS has exhausted its support. Microsoft retired XP on April 8, but made an exception May 1 when it released a patch for IE on XP. There seems little chance it will make more exceptions.
In lieu of a patch, Windows users, including those running XP, can take several defensive steps, including restricting IE's Active Scripting and installing Microsoft's EMET (Enhanced Mitigation Experience Toolkit) utility. Microsoft provided those recommended steps to ZDI, which included them in its advisory.
Although EMET was originally designed for enterprises and advanced Windows users, Microsoft has been urging other customers to install the toolkit as an important anti-exploit defense.
"EMET will prevent the [proof-of-concept] exploit from achieving arbitrary code execution," said Van Eeckhoutte. "In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints. This case simply re-enforces this. EMET won't stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you're serious about security, install it."
EMET works on Windows XP, and can be downloaded from Microsoft's website.
IE8 remains the most popular version of Internet Explorer, even though it has been superseded by three newer editions. According to Web metrics company Net Applications, IE8 accounted for 36% of all versions of Microsoft's browser in use last month. The newest, IE11, came in second with a 28.7% share.
Microsoft's next regularly-scheduled security updates will be released on June 10.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.