There is a new zero-day vulnerability for Microsoft’s Internet Explorer Web browser that could potentially be leaving millions of users at risk. Unlike most zero-days, which are typically disclosed by researchers who have discovered an attack in progress, this IE zero-day is being disclosed by Hewlett-Packard. Going a step further, unlike many zero-day vulnerabilities, the new IE flaw was actually first reported to Microsoft more than 180 days ago and still hasn’t been fixed.
The vulnerability is technically known as CVE-2014-1770, and HP first privately disclosed it to Microsoft on Nov. 11, 2013.
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer,” HP warned in its advisory. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
Brian Gorenc, manager of the Zero Day Initiative (ZDI) at HP Security Research, told eWEEK that the vulnerability can be triggered on Internet Explorer 8 on Windows XP and Windows 7.
As to why HP chose to publicly disclose the issue now, it all has to do with a disclosure policy that ZDI has in place.
“This is the first IE vulnerability released as a zero-day advisory due to violation of HP ZDI’s disclosure policy,” Gorenc said.
HP ZDI’s disclosure policy originally set out a 180-day window from the time a vulnerability is privately disclosed for an affected vendor to patch the issue. After the 180-day period is up, HP’s policy warns vendors that it will publicly disclose the vulnerability. As of March 1, HP has shortened the disclosure window to 120 days in which a vendor needs to respond and patch a vulnerability.
For its part, Microsoft is not denying that the CVE-2014-1770 issue exists, although it is downplaying the risk.
“We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers,” Microsoft noted in a statement sent to eWEEK. “We continue working to address this issue and will release a security update when ready in order to help protect customers.”
Microsoft suggests that IE users upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer, which includes further protections.
HP also is not seeing active exploits against the CVE-2014-1770 vulnerability, but that doesn’t mean that there isn’t a risk.
“At the time of the advisory’s release, ZDI doesn’t believe that this vulnerability is actively being exploited, but a proof of concept to trigger the issue does exist,” Gorenc said. “That said, the vulnerability has existed in Internet Explorer for some time, and there is no proof that it has not been exploited in the past.”
The CVE-2014-1770 is not the first IE zero-day to impact Windows XP users in 2014. On May 1, Microsoft released an emergency update to fix the CVE-2014-1776 vulnerability that also impacted Microsoft’s Windows XP users.
The CVE-2014-1770 vulnerability isn’t the only issue that HP has in its inventory of security issues for public disclosure either. HP currently has a list of 199 advisories that are all pending public disclosure.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.