Microsoft plans to fix a vulnerability in version 8 of its Internet Explorer browser that allows attackers to remotely hijack computers that do nothing more than visit a booby-trapped website.
Details of the critical "use after free" security bug were published Wednesday by Zero Day Initiative (ZDI), the Hewlett-Packard owned group that sponsors the regularly occurring Pwn2Own hacking contest. The group, which buys vulnerabilities so it can protect customers from attacks that exploit them, has a policy of keeping bug details confidential until a patch is released or until 180 days after purchase, whichever happens first. ZDI notified Microsoft of the bug in October after acquiring it from whitehat researcher Peter "corelanc0d3r" Van Eeckhoutte of Corelan.
In a statement issued to media outlets, Microsoft said some patches take longer to develop than others and that "we must test every one against a huge number of programs, applications and different configurations," according to IDG News. "We continue working to address this issue and will release a security update when ready in order to help protect customers."