A critical security flaw in Microsoft’s Internet Explorer 8 has gone unfixed since October 2013, according to a new report from the Zero-Day Initiative. The report, which was issued because of ZDI’s policy to reveal zero-day flaws that go unfixed for more than 180 days, says that the vulnerability allows an attacker to run malicious code in IE 8 when you visit a website designed to infect your computer. Microsoft learned of the zero-day — the term given to a previously unknown, unpatched flaw — in October but has been unable to fix it. Whether that’s because IE 8 is the last version of the browser to support Windows XP, which Microsoft officially no longer supports, or because the flaw itself is hard to fix, Microsoft would not say. The company said that it has not seen an active exploit of the zero-day flaw, meaning that although the hole remains wide open, nobody has been using it to attack people.