Microsoft issues security advisory on IE8 zero-day exploit

Microsoft has published a security advisory about an exploit for zero-day vulnerability (CVE-2013-1347) in Internet Explorer 8.

The exploit is in active use in the wild and a Metasploit module has been made available for the zero-day vulnerability, according to Wolfgang Kandek, CTO at security firm Qualys.

Download this free guide

3 key web security guidelines from FS-ISAC

We address the ongoing issues regarding web security for businesses relying on an online presence. Download this e-guide and discover how to identify and address overlooked web security vulnerabilities as well as why you should look at the full security development lifecycle to reduce web threats.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

“This will make it easier to convince IT management of the robustness and applicability of the exploit,” he wrote in a blog post.  

FireEye and Invincea have shown in two blog posts that even a fully patched Internet Explorer 8 is vulnerable to attack, making the attack a legitimate zero-day.

Microsoft recommends installing its free enhanced mitigation experience toolkit (Emet) to mitigate the vulnerability, or disabling active scripting.

Emet, first released for public use in September 2010, gives enterprises the means to protect against unknown vulnerabilities and brings newer security protections to older platforms and applications, both Microsoft and non-Microsoft.

Alternatively, Kandek said organisations can upgrade to Internet Explorer 9, which is not affected by the vulnerability.

With Microsoft’s monthly Patch Tuesday security update just a week away, Kandek said it is unlikely that a patch for the vulnerability will be ready on time.