IE8 Zero-day Flaw Identified in October 2013 Goes Public Today

A zero-day flaw identified in October 2013 has just been publicly announced. ZDI reportedly disclosed the vulnerability to Microsoft when it was first identified, but due to ZDI's 180 public notification policy, is releasing information about it today.

According to the timeline, Microsoft confirmed reproduction of the flaw in February but failed to do anything about it. ZDI sent a warning to Microsoft several days ago about the pending public disclosure, but apparently the response wasn't in time.

The vulnerability affects Internet Explorer 8 and contains the usual payload. The vulnerability allows local code to be executed by a remote attacker through a bug in CMarkup objects and can be activated through compromise web sites and by clicking on email attachments.

And, as usual, removing admin rights from the logged on user can minimize the impact. Default configurations for Internet Explorer running on Windows Server and client versions should also mitigate the vulnerability through restricted mode.

No security patch is currently available and it's interesting that the vulnerability has not been addressed at all since the flaw was originally reported.

The full disclosure is here: (0Day) Microsoft Internet Explorer CMarkup Use-After-Free Remote Code Execution Vulnerability

UPDATE (May 23, 2014): Microsoft has now promised to fix the vulnerability, but has given no timeline as to when the patch will be available since they have seen no active threats in the wild.