Confirmed exploits in the wild have been reported for a vulnerability in Internet Explorer 8. There is currently no patch available. The vulnerability can be exploited by a simple drive-by attack which will allow adversaries to install malware on your computer without any user action necessary. This means you could be infected simply by visiting a legitimate website that has been compromised and hosting the malicious code. The vulnerability was already leveraged in a targeted attack on the U.S. Department of Labor.
1. We recommend that all users stop using the Internet Explorer 8 web browser immediately.
2. On Thursday, May 9, Microsoft released a workaround that acts as a temporary fix until a patch is released. The fix is available at https://support.microsoft.com/kb/2847140 .
If you’re running Windows Vista or newer, simply upgrade Internet Explorer to version 9 or 10 and you’ll be safe from this vulnerability, as it’s only been reported to work on version 8.
If you’re running Windows XP or older, use an alternative web browser such as Firefox, Chrome, or Opera as newer versions of Internet Explorer are not presently available. You should also consider upgrading to a newer operating system as soon as possible, as Microsoft plans to drop support for Windows XP next April.
We’ll let you know as soon as Microsoft releases a patch for this issue. Here are some relevant links for additional information:
- Microsoft Security Advisory (2847140):
- Krebs on Security “A Stopgap Fix for the IE8 Zero-Day Flaw”: krebsonsecurity.com/tag/cve-2013-1347/
- US-CERT.gov: www.us-cert.gov/ncas/current-activity/2013/05/07/Microsoft-Releases-Security-Advisory-Internet-Explorer
- Internet Storm Center: isc.sans.edu/diary/15734