CVE-2013-1347
published 2013-05-05CVE-2013-1347: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
77.89%
99.5th percentile
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SIDs 26569-26572
snort↗
SIDs: 26569 through 26572, 26603 and 26668
- →JavaScript IDS evasion in the LightsOut kit encodes strings by interleaving digits that must be removed; e.g. removing all digits from '836f4974362o65679305r82637150N61617044a77736359m99323481e9388' yields 'forName'. ↗
- →The DoL watering-hole attack injected a redirect from the compromised website to an attacker-controlled host rather than hosting exploit files directly; look for injected iframe/redirect code pointing to external hosts on otherwise legitimate sites. ↗
- →The Elderwood-linked CFR compromise used specific filenames (news.html, robots.txt, today.swf, xsainfo.jpg, config.html) on the compromised server; presence of these files on a non-Elderwood site is a strong indicator of compromise. ↗
- →The first stage dropper (ntsys391.exe) copies itself to a path containing a trailing space in the directory name ('Broker services\WbemMonitor .exe') — the space before .exe is anomalous and useful for host-based detection. ↗
- ·The LightsOut exploit kit dynamically builds payloads per request (e.g. the r7 JAR may be rebuilt per request by PHP), so hashes of kit-generated files may not be stable across campaigns. ↗
- ·At the time of the Talos report, CVE-2013-1347 was not yet being exploited in monitored exploit kits (only Metasploit had a public module), so kit-based IOCs may not have been fully representative of all in-the-wild activity. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Internet Explorer Remote Code Execution Vulnerability
cisa·2022-03-03·CVSS 8.8
CVE-2013-1347 [HIGH] CWE-94 Microsoft Internet Explorer Remote Code Execution Vulnerability
Vulnerability: Microsoft Internet Explorer Remote Code Execution Vulnerability
Affected: Microsoft Internet Explorer
This vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-1347
Remediation Due Date: 2022-03-24
GHSA
GHSA-4j4f-7rwg-p4q7: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an obje
ghsa_unreviewed·2022-05-13
CVE-2013-1347 [HIGH] CWE-416 GHSA-4j4f-7rwg-p4q7: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an obje
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.
Kernel
HID: validate HID report id size
kernel_security·2013-08-28·CVSS 6.2
CVE-2013-2888 [MEDIUM] HID: validate HID report id size
HID: validate HID report id size
The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b
CVE-2013-2888
Signed-off-by: Kees Cook
Cc: [email protected]
Signed-off-by: Jiri Kosina
VulnCheck
Microsoft Internet Explorer Remote Code Execution Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-1347 [HIGH] CWE-94 Microsoft Internet Explorer Remote Code Execution Vulnerability
Microsoft Internet Explorer Remote Code Execution Vulnerability
This vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-1347; https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html; https://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; https://www.recordedfuture.com/russian-apt-toolkits; https://cisa.gov/news-events/alerts/2015/04/29/top-3
Suricata
ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1
suricata·2014-10-09·CVSS 8.8
CVE-2013-1347 [HIGH] ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1
ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,to_client; file.data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, cve CVE_2013_1347, deployment Perimeter, confidence High, signature_severity Major, tag DriveBy, tag CISA_KEV, updated_at 2024_03_14;)
Exploit-DB
Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)
exploitdb·2013-05-07
CVE-2013-1347 Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)
Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)
---
##
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs w
Metasploit
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
metasploit
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Talos
Continued analysis of the LightsOut Exploit Kit
blogs_talos·2014-05-02·CVSS 9.8
[CRITICAL] Continued analysis of the LightsOut Exploit Kit
## Continued analysis of the LightsOut Exploit Kit
At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html , or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit. Because of the number of Java vulnerabiliti
Talos
Continued analysis of the LightsOut Exploit Kit
blogs_talos·2014-05-02·CVSS 9.8
[CRITICAL] Continued analysis of the LightsOut Exploit Kit
At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html, or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit.
Because of the number of Java vulnerabilities leveraged by this kit; it's important to keep Jav
Talos
Microsoft Update Tuesday: Update for IE8 0-day and More
blogs_talos·2013-05-14·CVSS 7.2
CVE-2013-1347 [HIGH] Microsoft Update Tuesday: Update for IE8 0-day and More
## Microsoft Update Tuesday: Update for IE8 0-day and More
Today is Update Tuesday and Microsoft is releasing updates for 33 CVEs across 10 bulletins. We'll be discussing some of the highlights here.
One of the most important updates ( MS13-038 ) that is being released is for the recent 0-day in Internet Explorer, which was used in a watering hole attack on a Department of Labor internal website targeting Department of Energy employees. This vulnerability, CVE-2013-1347 , affects IE8 and can allow an attacker to perform remote code execution via a use-after-free vulnerability. While it's currently not being exploited in any of the exploit kits that we monitor, Metasploit released an exploit for the vulnerability early last week. Sourcefire has detection for this vulnerability through SID
Talos
Microsoft Update Tuesday: Update for IE8 0-day and More
blogs_talos·2013-05-14·CVSS 7.2
CVE-2013-1347 [HIGH] Microsoft Update Tuesday: Update for IE8 0-day and More
Today is Update Tuesday and Microsoft is releasing updates for 33 CVEs across 10 bulletins. We'll be discussing some of the highlights here.
One of the most important updates (MS13-038) that is being released is for the recent 0-day in Internet Explorer, which was used in a watering hole attack on a Department of Labor internal website targeting Department of Energy employees. This vulnerability, CVE-2013-1347, affects IE8 and can allow an attacker to perform remote code execution via a use-after-free vulnerability. While it's currently not being exploited in any of the exploit kits that we monitor, Metasploit released an exploit for the vulnerability early last week. Sourcefire has detection for this vulnerability through SIDs 26569-26572.
Microsoft is also releasing a cumulative update
Trailofbits
Elderwood and the Department of Labor Hack
blogs_trailofbits·2013-05-13·CVSS 8.8
CVE-2013-1347 [HIGH] Elderwood and the Department of Labor Hack
Recently, the Department of Labor (DoL) and several other websites were compromised to host a new zero-day exploit in Internet Explorer 8 (CVE-2013-1347). Researchers noted similarities between this attack and earlier ones attributed to Elderwood, a distinct set of tools used to develop several past strategic website compromises. We have not, however, identified any evidence for this conclusion. Several fundamental differences exist that make it unlikely that this latest exploit was produced by the Elderwood kit.
- The Elderwood kit provides several reusable techniques for spraying the heap with Adobe Flash and bypassing DEP with other plugins. However, the DoL exploit avoids the need to use plugins by copying the code for a new exploit technique from Exodus Intelligence. This significant
Trailofbits
Elderwood and the Department of Labor Hack
blogs_trailofbits·2013-05-13·CVSS 8.8
CVE-2013-1347 [HIGH] Elderwood and the Department of Labor Hack
Recently, the Department of Labor (DoL) and several other websites were compromised to host a new zero-day exploit in Internet Explorer 8 (CVE-2013-1347). Researchers noted similarities between this attack and earlier ones attributed to Elderwood , a distinct set of tools used to develop several past strategic website compromises. We have not, however, identified any evidence for this conclusion. Several fundamental differences exist that make it unlikely that this latest exploit was produced by the Elderwood kit.
The Elderwood kit provides several reusable techniques for spraying the heap with Adobe Flash and bypassing DEP with other plugins. However, the DoL exploit avoids the need to use plugins by copying the code for a new exploit technique from Exodus Intelligence . This significant
Zscaler
Zscaler Protects Against Vulnerability in IE | Zscaler
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler Protects Against Vulnerability in IE | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
China's Influence on National Network Vulnerability Publications | Recorded Future
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications | Recorded Future
## China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
## Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated for their operational utility by the MSS before publica
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-14-2013
blogs_zscaler·CVSS 4.3
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 05-14-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
China's Influence on National Network Vulnerability Publications
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications
# China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
Click here to download the complete analysis as a PDF.
### Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://technet.microsoft.com/security/advisory/2847140http://www.exploit-db.com/exploits/25294http://www.us-cert.gov/ncas/alerts/TA13-134Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-038https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16727http://technet.microsoft.com/security/advisory/2847140http://www.exploit-db.com/exploits/25294http://www.us-cert.gov/ncas/alerts/TA13-134Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-038https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16727https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-1347
2013-05-05
Published
2022-03-03
Added to CISA KEV
Exploited in the wild