Yesterday the Zero Day Initiative (ZDI) made good on their stated Vulnerability Disclosure policy and published an advisory for a remote code execution vulnerability in Internet Explorer 8. ZDI had submitted the vulnerability to Microsoft in October 2013 and waited 180 days before going public. In this case 180 days meant April 9, 2014, the day after April Patch Tuesday.
When Microsoft did not address the problem in April nor in this month’s Patch Tuesday, ZDI published the information on the type of vulnerability in ZDI-14-140.
Why did this happen? After 6 months Microsoft no doubt has developed a patch for the issue. However, it seems its release was delayed due to the short term nature May’s IE patch (MS14-029) which was specifically engineered to address a vulnerability in the use in wild, that was detected by Google’s security team. That release took priority over the normal, scheduled release and got Microsoft into this situation with ZDI.
On the other hand, ZDI, a well-known vulnerability broker operated by HP since the acquisition of TippingPoint, has a commitment with its suppliers, the vulnerability researchers (in this case corelanc0d3r – https://twitter.com/corelanc0d3r), who often think that even 180 days is too long of a interval to wait for a fix. Google for example, usually pushes for a 30 or 60 day turnaround on bugs that they detect.
Where does that leave you? Exploit developers are surely looking at the advisory and working on getting their code running. We do not know how quickly an exploit will be released, but the remaining time to Patch Tuesday is not that long. Beyond waiting for the fix there are a couple things you can do:
- The vulnerability is limited to Internet Explorer 8, so this will probably diminish your exposure. Upgrading to a newer version of IE addresses the issue.
- Similarly using a different browser addresses the issue
- EMET has been effective against all recent 0-day vulnerabilities in Internet Explorer and according to corelanc0d3r (the discoverer of the vulnerability) it prevents his exploit from running as well. Wait for the patch, the next Patch Tuesday is only 18 days away.
Of course, if you still run Windows XP, you will be exposed forever. Switching to a different browser until you can migrate from that OS is probably a good idea.
Stay tuned for updates here – we will have some numbers for you soon.