My next class:

Internet Explorer 8 0-Day Update (CVE-2013-1347)

Published: 2013-05-06. Last Updated: 2013-05-06 14:33:57 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Thanks to our reader Juha-Matti for pointing out that a Metasploit module was released to exploit the recent Internet Explorer 8 vulnerability. The vulnerability has also been assigned CVE-2013-1347.

Please let us know if you are running into exploits for this vulnerability.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
6 comment(s)
My next class:

Comments

5 days now since release of the advisory; no "FixIt", no date for a fix, no nothing from M$, XP users (over 1/3 of all users on the Web) hung out to dry. USE ANOTHER BROWSER all the time...
.
So this is still a targeted exploit as far as I can see, there are at least 3 other versions of IE available to users that aren't vulnerable, lowering user privileges reduce risk, A/V vendors are detecting (probably web filters too). I think there's enough risk mitigation options on this one...
Fixit now available: http://support.microsoft.com/kb/2847140
Updated with link to fixit page: http://technet.microsoft.com/en-us/security/advisory/2847140
Blog on Technet announcing fixit: http://blogs.technet.com/b/msrc/archive/2013/05/08/fix-it-for-security-advisory-2847140-is-available.aspx
Another reason to deploy EMET.
@mbrownnyc but the latest EMET requires the added risk (security & bad patches) of .NET 4.
Link to fix (KB2847204): http://www.microsoft.com/en-us/download/details.aspx?id=39031

Diary Archives