Internet Explorer 8 0-Day Update (CVE-2013-1347)

Published: 2013-05-06
Last Updated: 2013-05-06 14:33:57 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Thanks to our reader Juha-Matti for pointing out that a Metasploit module was released to exploit the recent Internet Explorer 8 vulnerability. The vulnerability has also been assigned CVE-2013-1347.

Please let us know if you are running into exploits for this vulnerability.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

6 comment(s)


5 days now since release of the advisory; no "FixIt", no date for a fix, no nothing from M$, XP users (over 1/3 of all users on the Web) hung out to dry. USE ANOTHER BROWSER all the time...
So this is still a targeted exploit as far as I can see, there are at least 3 other versions of IE available to users that aren't vulnerable, lowering user privileges reduce risk, A/V vendors are detecting (probably web filters too). I think there's enough risk mitigation options on this one...
Fixit now available:
Updated with link to fixit page:
Blog on Technet announcing fixit:
Another reason to deploy EMET.
@mbrownnyc but the latest EMET requires the added risk (security & bad patches) of .NET 4.
Link to fix (KB2847204):

Diary Archives