Microsoft has confirmed a bug in Internet Explorer 8, CVE-2013-1347, which exposes user machines to remote code execution.
In an advisory, Microsoft says the vulnerability “exists in the way that Internet Explorer [accesses] an object in memory that has been deleted or has not been properly allocated.”
That, in turn, opens the door to memory corruption and remote code execution in the current user context.
According to this blog post by Eric Roman: “A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the document and used again during rendering, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user.”
That post also notes that an exploit has been seen in the wild. Last week, security companies AlienVault and Invincea reported that a site on a sub-domain of the US Department of Labor was serving malware, and Roman’s blog post states that it was serving up an attack on the CVE-2013-1347 vulnerability.
According to Invincea, the Department of Labor exploit was installing the Poison Ivy backdoor Trojan.
The venerable version might be using a walking frame to get around, but according to W3counter.com it’s still the second-most popular attack vector version of IE in the wild.
Microsoft is considering whether to issue an out-of-cycle patch for the vulnerability.
Cross-posted from TheRegister.co.uk