Microsoft issues security advisory on IE8 zero-day exploit
Microsoft has published a security advisory about an exploit for zero-day vulnerability in Internet Explorer 8
Microsoft has published a security advisory about an exploit for zero-day vulnerability (CVE-2013-1347) in Internet Explorer 8.
The exploit is in active use in the wild and a Metasploit module has been made available for the zero-day vulnerability, according to Wolfgang Kandek, CTO at security firm Qualys.
“This will make it easier to convince IT management of the robustness and applicability of the exploit,” he wrote in a blog post.
FireEye and Invincea have shown in two blog posts that even a fully patched Internet Explorer 8 is vulnerable to attack, making the attack a legitimate zero-day.
Microsoft recommends installing its free enhanced mitigation experience toolkit (Emet) to mitigate the vulnerability, or disabling active scripting.
More on zero-day vulnerabilities and exploits
- Oracle rushes out patches for Java zero days
- Disable Java to protect from latest zero-day
- Microsoft issues quick fix for IE zero-day vulnerability
- Microsoft investigates IE zero-day flaw
- Zero-day exploit for Yahoo Mail goes on sale
- MySQL security analysis: Mitigating MySQL zero-day flaws
- Private market growing for zero-day exploits and vulnerabilities
- Adobe investigates zero-day that bypasses Reader X sandbox
Emet, first released for public use in September 2010, gives enterprises the means to protect against unknown vulnerabilities and brings newer security protections to older platforms and applications, both Microsoft and non-Microsoft.
Alternatively, Kandek said organisations can upgrade to Internet Explorer 9, which is not affected by the vulnerability.
With Microsoft’s monthly Patch Tuesday security update just a week away, Kandek said it is unlikely that a patch for the vulnerability will be ready on time.