CVE-2013-1347

What is Microsoft Internet Explorer?

Microsoft Internet Explorer was the dominant enterprise browser through the 2010s. IE 8 was the default browser on Windows XP and remained broadly deployed in enterprise environments years after Windows 7 and IE 9 were released — making IE 8-specific vulnerabilities highly impactful against corporate and government organizations. Microsoft retired IE 11 in June 2022.

Overview

CVE-2013-1347 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer 8, specifically in how the browser handles CGenericElement objects. Accessing a CGenericElement DOM object after it has been freed triggers the vulnerability, allowing arbitrary code execution in the context of the current user. This zero-day was exploited in a high-profile strategic water-holing attack — attackers compromised the US Department of Labor's website and used it to silently target visitors using IE 8, specifically those arriving from pages related to nuclear industry information (a pattern suggesting targeting of nuclear energy sector employees).

Microsoft released out-of-band emergency patch MS13-038 on May 14, 2013.

Affected Versions

Technical Details

The use-after-free (CWE-416) occurs in IE 8's DOM rendering engine. CGenericElement is the internal C++ class representing generic HTML DOM elements. When JavaScript code manipulates the DOM in a specific way — causing a CGenericElement object to be freed while another reference to it remains live — IE 8 subsequently dereferences the freed pointer during layout or event handling, triggering the use-after-free.

Exploitation technique: Classic IE use-after-free exploitation uses JavaScript heap spray to fill freed memory with attacker-controlled data before the freed pointer is dereferenced. When the dangling pointer is accessed, IE treats the heap spray data as the original object's fields — allowing redirection of virtual function calls (vtable pointer hijacking) to attacker shellcode.

Targeting selectivity: In the Department of Labor water-hole, the exploit was selectively served only to visitors who arrived from DOL pages specifically related to occupational health information about the nuclear energy industry — a technique known as "watering hole with filtering" that narrows exposure to the intended target set while avoiding detection by security researchers browsing the site generally.

Discovery

The compromise of the Department of Labor website was discovered by researchers at Invincea and AlienVault on May 3, 2013. Analysis of the malicious JavaScript injected into the DOL site revealed the IE 8 zero-day. The targeted delivery pattern pointed to a sophisticated, likely state-sponsored actor targeting workers in the nuclear energy sector.

Exploitation Context

CVE-2013-1347 is a well-documented example of strategic water-holing against a government website. The US Department of Labor's website was selected because:

• It is a highly trusted US government domain, visited by millions of workers and employers
• Specific DOL pages on nuclear occupational health were of interest to the intended target population
• The exploit was served only to IE 8 users arriving at specific DOL pages, minimizing noise and avoiding detection

Attribution based on malware payload and TTPs pointed to an APT group (likely Chinese state-sponsored) targeting US nuclear sector employees for intelligence collection.

Remediation

Internet Explorer reached end-of-life on June 15, 2022. Organizations should:

1. Uninstall or disable Internet Explorer — replace with Microsoft Edge
2. For historical remediation: MS13-038 (May 2013) patches this vulnerability for IE 8
3. Remove IE from default application associations via Group Policy
4. Audit legacy systems and line-of-business applications requiring IE 8 — these are an ongoing security liability and should be migrated to Edge with IE compatibility mode as a transition step