Internet Explorer Gets Critical Update After 7 Long Months

Microsoft has announced its plans to release an update for Internet Explorer 8 that’s been over half a year in the making.

Published on Thursday by the Zero Day Initiative, the hosts of the annual Pwn2Own contest claim that though Microsoft has known about the exploit for months, the complexity of this issue in particular has prevented them from shipping out any information on it until today.

According to the company, the reason they waited so long to finally release it is that although most holes are easily patched through hotfixes which can easily be distributed and updated to the millions of users of IE at once, others are more nuanced, requiring significantly more time to deploy than the rest based on the resources they can dedicate to any one problem at a time.

They clarified this sentiment further in a statement to InfoWorld yesterday:

“We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations. We continue working to address this issue and will release a security update when ready in order to help protect customers. We encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”

Another possible complication is that unlike other iterations of the web browser, Internet Explorer 8 is far and away the most popular version, sucking up almost 21 percent of the total market in comparison to other, safer solutions like Google’s Chrome or Mozilla’s Firefox.

Microsoft first confirmed the existence of the flaw in February, and despite the fact that three patch Tuesdays have passed since that initial announcement, it seems the company wasn’t exactly in a rush to get this particular problem sealed up before they handled the dozens of other Internet Explorer cracks that fall onto their plates every other hour it seems like these days.

According to ZDI’s technical description, the bug exists within the handling of JavaScript in “CMarkup objects”.

“The allocation initially happens within CMarkup::CreateInitialMarkup. The [use after] free happens after the execution of certain JavaScript code followed by a CollectGarbage call. By manipulating a document’s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

Microsoft claims they have yet to see anyone using this exploit in the wild, however it’s usually the smarter bet to take the statement of the company that’s under fire with the smallest grain of salt you can find in the shaker.

With all the news of breaches and hotfixes as of late, it’s probably a good idea to just leave IE behind for a while, at least until the security team can catch up with the dozens of holes that seem to be popping up more and more often as we get further away from the launch of Internet Explorer 10.