Microsoft issues security advisory on IE8 zero-day exploit

Microsoft has published a security advisory about an exploit for zero-day vulnerability (CVE-2013-1347) in Internet Explorer 8.

The exploit is in active use in the wild and a Metasploit module has been made available for the zero-day vulnerability, according to Wolfgang Kandek, CTO at security firm Qualys.

“This will make it easier to convince IT management of the robustness and applicability of the exploit,” he wrote in a blog post.  

FireEye and Invincea have shown in two blog posts that even a fully patched Internet Explorer 8 is vulnerable to attack, making the attack a legitimate zero-day.

Microsoft recommends installing its free enhanced mitigation experience toolkit (Emet) to mitigate the vulnerability, or disabling active scripting.

Emet, first released for public use in September 2010, gives enterprises the means to protect against unknown vulnerabilities and brings newer security protections to older platforms and applications, both Microsoft and non-Microsoft.

Alternatively, Kandek said organisations can upgrade to Internet Explorer 9, which is not affected by the vulnerability.

With Microsoft’s monthly Patch Tuesday security update just a week away, Kandek said it is unlikely that a patch for the vulnerability will be ready on time.