Microsoft plans to fix a vulnerability in version 8 of its Internet Explorer browser that allows attackers to remotely hijack computers that do nothing more than visit a booby-trapped website.

Details of the critical "use after free" security bug were published Wednesday by Zero Day Initiative (ZDI) , the Hewlett-Packard owned group that sponsors the regularly occurring Pwn2Own hacking contest. The group, which buys vulnerabilities so it can protect customers from attacks that exploit them, has a policy of keeping bug details confidential until a patch is released or until 180 days after purchase, whichever happens first. ZDI notified Microsoft of the bug in October after acquiring it from whitehat researcher Peter "corelanc0d3r" Van Eeckhoutte of Corelan

In a statement issued to media outlets, Microsoft said some patches take longer to develop than others and that "we must test every one against a huge number of programs, applications and different configurations," according to IDG News. "We continue working to address this issue and will release a security update when ready in order to help protect customers."

There's no indication that the bug is being maliciously exploited in the wild. And while a survey released earlier this month showed that a large percentage of IE users are stuck on version 8, it's likely that a large percentage of them are running Windows XP, which is no longer eligible to receive updates. Microsoft didn't say exactly why it hasn't assigned a higher priority to issuing a patch for a bug, but it wouldn't be surprising if both of these considerations were involved.

Anyone who is still using IE 8 should upgrade as soon as possible to IE 11, which contains enhancements that make it much more resistant to hack attacks. Those who depend on apps that work only with IE 8 should look into Microsoft's Enhanced Mitigation Experience Toolkit, which adds many advanced security features to older software and operating systems.