Microsoft has yet to patch 7-month old Internet Explorer zero-day vulnerability

[sincity]

Nearly eight months after the security company TippingPoint informed Microsoft of a vulnerability affecting its web browser, Internet Explorer, the company has yet to issue a patch to quash that flaw.

The case was disclosed to Microsoft in October 2013 and has been made public by TippingPoint's Zero Day Initiative website on Wednesday. Only Internet Explorer 8, which was launched back in 2009 and came with Windows 7, is affected.

It is still by far the most popular browser in the world according to web analytics company, NetMarketShare, with nearly a fifth of the global market, which means that widespread attacks could take place.

Time to move to another browser?

To make matters worse, it is the most recent web browser available from Microsoft for Windows XP, which could pave the way for multi-pronged attacks. "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations", says the description on ZDI's website.

It adds "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." To Microsoft's credit though, it did come back with ways to reduce the risk of an attack.

Setting Internet security zone settings to high might help, as configuring IE to prompt before running Active Scripting and installing its Enhanced Mitigation Experience Toolkit.

• Arguably, using another web browser will eliminate the risk entirely. So, why not read our "Best browser 2014: which should you be using?" article.