CVE-2013-2551

Warning

EPSS 92.38%
Published 11.03.2013 10:55:01
Last modified 11.04.2025 00:51:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.

Affected products Warnungen 1 Metrics 4 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Internet Explorer Version6

   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version7

   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Vista Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version8

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1
   Microsoft ≫ Windows Vista Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version9 Update-

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   Microsoft ≫ Windows Vista Version- Updatesp2

Microsoft ≫ Internet Explorer Version10

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows 8 Version-
   Microsoft ≫ Windows Rt Version-
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   Microsoft ≫ Windows Server 2012 Version-

28.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Internet Explorer Use-After-Free Vulnerability

Vulnerability

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute remote code via a crafted web site that triggers access to a deleted object.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	92.38%	0.997

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037

Patch

Vendor Advisory

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

Third Party Advisory

Broken Link

http://twitter.com/VUPEN/statuses/309479075385327617

Broken Link

http://twitter.com/thezdi/statuses/309452625173176320

Not Applicable

http://www.us-cert.gov/ncas/alerts/TA13-134A

Third Party Advisory