Microsoft fails to fix flaw in IE 8, says it's not 'being actively exploited'

Internet Explorer

Microsoft has passed on fixing a flaw in Internet Explorer 8. The company was informed of said remotely exploitable vulnerability back in October 2013 by Belgian researcher Peter 'corelanc0d3r' Van Eeckhoutte. That's a full seven months after a bug has been found in the software, which can be exploited if a consumer opens up a link to a malicious web page or by opening a pesky infected email.

The tech giant confirmed the vulnerability back in February, after the bug was disclosed by the Zero-Day Initiative (ZDI), but has failed to include a fix in any of the patches we've seen rolled out since.

Microsoft has informed CNET that it had not seen the bug actively exploited and thus has not released a fix. Simply put, no one has yet used the flaw to attack anyone. The company recently released a patch for IE and updated Windows XP even after announcing the end of support for the dated operating system.

It has been recommended that people using IE 8 set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting. Users can also configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone or install the Enhanced Mitigation Experience Toolkit (EMET).

That all said, you could simply upgrade to Windows 8 and enjoy Internet Explorer 11.

Source: CNET, via: ZDNet


Reader comments

Microsoft fails to fix flaw in IE 8, says it's not 'being actively exploited'


More like Slowfox, IE11 and Chrome are simply the fastest browsers.

Firefox is shit for quite a while already

When's the last time you used Firefox? IE11 in my day to day use hasn't been even remotely as fast as either Firefox or Chrome, not to mention that IE horribly mangles rendering of some pages. Firefox is also undoubtedly still far more extensible than either of it's two main competitors. Until either of those browsers have addons as useful as Ghostery and a few others, I'll stick with my "slow" Firefox.

I am a web developer and I primarily focus on IE browsers because my company develops for enterprise business; which means developing mostly for IE. So, I pretty much use IE11 at work. I don't know what you mean by "horribly mangle". IE11 is more standards compliant than IE has ever been. I've yet to see it mangle a page. Every browser has its issues.

I work in post production and for me speed is something I look for continuosly.
And the last time I used Firerox was NOW!...

I can tell without any doubt that Firefox is terribly slow...most of the times.
To be honest, with the 29th (29!!!!) version I can see a little improvement, but it doesn't come not even close to IE (and it resembles Chrome UI, that it's even worse).

Said that, I'm still using FF  40% and 60% IE just because IE has its flaws and annoying limitations where FF comes in help.

Example :
- (for computer artist needs) when searching for images to use o modify, in Firefox you can drag the image from the browser into Photoshop, or whatever.
IE wants to save it first.
(not even Chrome works, but actually I use it only to play TetrisFriends that I love and it looks like it's the fastest of the three for this game. The slowest is FF).

- Daily use. Shortcuts and fast interaction is what I look for. Also saving one click is really welcome.
Middle Mouse Button works perfectly in FF to open a link in a new tab, and so also with the Back, Forward, and Home buttons.
IE is limited. It doesn't work on the UI buttons. Actually Home button works if pressing CTRL + LeftMouseButton to open it in a new tab. Not for Back and Forward button.

- Favorites and Folders. I use them a lot.
FF is perfect with dragging and moving links or folders from folder to folder, without the need to go in favorites manager.
IE works at 80% and with really annoying bugs.

- Addons. There are some addons that just you cannot live without.
Like the situation for WP with the lack of Apps comparing to other OS, FF as wide range of addons where IE just lacks. And unfortunately, many of the useful ones.

Those limitations are the only reasons I continue to swtich time by time, to FF,  and, when I need performance and speed IE is the chosen one.

I really hope IE to get a boost in those areas.

In reading your very long opinion I keep finding myself saying, "such as...".
Btw I have no issues dragging and dropping or copying a picture from IE into most programs, that is if the program supports it.
Over all though, obviously people like different browsers to go to the exact same places and do the exact same things.

I'd Like to know how do you drag a picture, from IE into the workspace of Photoshop.... I NEVER NEVER NEVER succeed...( I just tried, to make sure...)

EDIT: I usually don't it with 3D software, but I put it into XSI (3D Software I use) and while a lot can be imported with Drag'n Drop, still, from IE doesn't work,  I can with FF, though.

To be clear, I prefer IE to FF, but something really can't work.

Edit 2 : It doesn't work from IE to Word Document (and they are both Microsoft)
I can with FF. So, it seems it's not just the hosting software...

Hello fellow Softie.  RIP SI :(


For IE -> PS, try Right clicking image, Copy image, and then paste into PS.

As for Softimage, I guess you could use NetView! :)

Hey, SoftFriend! I see you often on SI-Community. SI is dead only for AD. Comparing to SI all the others look dead. SI will stay for long (Vray just updated to 1.7! Good they still support).

For Right click I know perfectly (I'm about 18 years on computer graphic), but  90% of the times I can avoid it.

Anyway, yes NetView is great, unfortunately is only for Softimage. Referring to many softwares missing an internal browser, IE just doesn't permit instant drag'n drop from the Browser Window inside a software.
Many just don't bother, because they don't use it, but for a designer using multiple images I find it annoying.
It's just me, probably, too much cuddled by Softimage workflow..lol.

Just an FYI...


For organizing IE favorites, just go to your favorites folder (usually C:\Users\%username%\Favorites) in Windows File Explorer and orgainize from there.  It's much faster if you are doing a lot of housekeeping.  They are just a bunch of files/shotcuts after all. 

Thank you for your response. I know perfectly, actually. Infact I'm reffering to fast interaction.
When you try to move a link already in a folder, into another subfolder you discover a bug that doesn't let you do anything else. If you want istantly drag another file in the subfolder, you need to close the main folder, re-open it, and do the action.

Or just going in "organize Favourites" and it surely works.

You talk about all of these absolutely necessary add-one Firefox has that IE doesn't. How about naming some?

Sorry for the late response.
Yeah, you're right. Actually I should puntualize that I'm not talking for the simple browsing tasks or for the average user, and indeed IE is on top, but more for working, where playing with videos, downloading references from pratically every sites, managing them, pop-up blocking, or FTP usage, Firefox works better.

- Fire FTP Firefox. It's too handy. All my collegues say the same. Of course there are thirdy part softwares to do the same task, but a simple addon you have in a browser to do FTP work is good. And it works really good. I didn't find an alternative on IE.

- Download Helper. It's just download virtually any video (I could say a 85%?..mm). Youtube or other sites, with just a click. And again, I know there are others for the same task, but, well, that's my preferred.

- Ad-Block. Ok, it's on IE, too, but it' doesn't work as good as on FF (and, well, it's a developer problem, this one, I know, but again...).

This are just the 3 preferred. But on FF there are tons one would find really useful once becoming part of own daily work.
But if IE had the possibility to drag and drop an image from the page into an editing software, I could lower my usage of FF at 15%.
But, obviously, that's just me.


Sadly, it  doesnt force any upgrades. People will continue on stubbornly using old browsers - especially when you have corporate software that requires it. Our install of Lawson where I work wont even let you log in if you have anything newer than IE9.

If a browser can do what you need it to do, why do you have to upgrade it? If it suits a purpose and means a company doesn't have to spend even more funds to develop new systems that accommodate for something that was perfectly fine prior.

I've got nothing against releasing new systems, but don't penalise those who don't need to upgrade to it.

It's amusing to read some of the "good, people need to upgrade" comments. A lot of enterprise users are still on IE8; I can't believe MS wouldn't just release a fix for this.

Yeah, like they never fixed the windows can't check for updates problem in Vista. I haven't found a fix for that yet, unless I'm just missing it.

I have had the same issue, if it is error 80070426, there are fixes for it if you search for the error codes. In my case it was due to a corrupt global catalog file, so not really something they can just fix.

Honestly businesses that put themselves at risk by not developing newer, compatible software and even worse still allowing these aged computers off the corporate network onto the Internet have nobody but themselves to blame for being exploited by hackers. There isn't a good reason, business or otherwise. If they need IE8, they shouldn't be allowed off the intranet.

well said. Companies which don't have long-term IT strategy team / plan are ill-led. Like my company, just recently starting to migrate away from XP to 7, and paying MS millions for XP  support extension. Simply ridiculous.

When I started working at my job they were using XP, I didn't stop making a fuss until they moved to Windows 7 and STILL got to keep working there... Sometimes, the squeaky wheel... Lol =P

Its not always the businesses that are holding back. We were unable to move entire departments because several, very well known corporate software did not support newer browsers until recently. After upgrades, Lawson only supports IE9 and prior where I work. That one vendor alone means we are unable to update to Windows 8 because Windows 8 shipped with IE10.  

Exactly This!  For General Motors dealers, the GM web portal only "officially" supports IE9, and, get this, most of the service shop tech apps are tied to Java 6.  Usually, things work OK with IE10/Java 7, but if you ever need support, they won't talk to you unless you "verify" you're using IE9/Java 6.

How far back, 2012, because that's the last time vista checked for updates on my machine. Luckily my laptop hasn't fallin to that fate.

I do some hacking (with permission) in my spare time but only as a way to reveal vulnerabilities. I know that hackers are looking for articles like this to find un-patched vulnerabilities so they can write an exploit for it. Any company that discovers a vulnerability in their software should patch it immediately or their just drawing attention to the bug. What I don’t understand is why Microsoft is directly ignoring the issue instead of dealing with it. I mean really, does it hurt that much to fix a bug?

It costs money. I'm amazed they supported IE8 as long as they did. If people insisnt on running old browsers, they must accept the risks associated with that.

Free PR.  Nevermind that these things tend to cause millions of dollars worth of damage because of all the time wasted by IT staff and computer users everywhere who have to deal with the aftermath of exploits.  And there will be exploits.  Hell hath no fury like a "security researcher" scorned.  Then MS can patch it and say "hey aren't we great for patching such an old and crappy product of ours!"  And they will receive the highest praise here on WPCentral.

I'd you're still using IE8 you should consider upgrading to an OS with a newer version of IE or at least switching to a different browser...

"That all said, you could simply upgrade to Windows 8 and enjoy Internet Explorer 11."

Or you could just tell Microsoft where to shove IE and use Firefox or other browser.

This waiting for shit to be exploited before fixing it is ridiculous.


I'm looking at twitter right now and it looks fine in IE11. Maybe its my eyes, but it looks like everything else on my system.

Check that link. I know that's IE10 but that's how it looks in 11 for me. Been around for awhile if you check around the net. It's only in these pages that you get any love for IE. You look outside and you forget how people loathe it.

Contrary to what you think, other browsers have expoits and vulnerabilities also, and they HAVE been compromised.  IE just sticks out because they have more legacy browsers out and well, it's Microsoft, so the media is quick to make it a big deal.

Because some Fortune 200 companies such as mine still need IE 8 to run old legacy web-based apps which are required by the State and Federal governments.

Yeah, its insanity. I think MS lets stories like this out to light a fire under vendors to update their junk and IT departments to update to what has been made available.

I would love to see how this article would have gone if it was google not supporting an early version of Chrome. I believe pitchforks and calling for blood would be in order.

IE8 is still in heavy use in a lot of enterprise environments, where internal tools haven't been updated to work properly on anything else.

Actually, using Windows XP is still the most viable way for me to keep on using Windows without even having Internet Explorer on my computer.  See, if I totally remove IE from Windows 7 or 8, I loose most all the functionality of those operating systems.  With XP, I can completely remove IE and still keep most of the functionality of the OS.  Just when will Microsoft get it through their big thick heads that including & deeply embedding Internet Explorer into their OSes is & will keep on being the main source of all the problems that their OSes encounter?  Just by the fact that you can remove 99.999% of the security flaws that Windows encounters by simply removing IE should tell Microsoft or any else, for that matter, that IE must get trashed.  Ceterum censeo IE delendam esse!!!