A critical security flaw in Microsoft's Internet Explorer 8 has gone unfixed since October 2013, according to a new report from the Zero-Day Initiative.
The report, which was issued because of ZDI's policy to reveal zero-day flaws that go unfixed for more than 180 days, says that the vulnerability allows an attacker to run malicious code in IE 8 when you visit a website designed to infect your computer.
Microsoft learned of the zero-day -- the term given to a previously unknown, unpatched flaw -- in October but has been unable to fix it. Whether that's because IE 8 is the last version of the browser to support Windows XP, which Microsoft officially no longer supports, or because the flaw itself is hard to fix, Microsoft would not say.
The company said that it has not seen an active exploit of the zero-day flaw, meaning that although the hole remains wide open, nobody has been using it to attack people.
"We build and thoroughly test every security fix as quickly as possible. Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations," said a Microsoft spokesperson.
This is not the first zero-day to affect Internet Explorer after Microsoft halted support for Windows XP in April. Shortly after XP service came to an end, a major zero-day exploit forced the company to leap into action and deliver an emergency repair five days later.
Aside from changing operating systems, Microsoft recommended that people using IE 8 set Internet security zone settings to "high" to block ActiveX Controls and Active Scripting; configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone; or install the Enhanced Mitigation Experience Toolkit (EMET).