CVE-2013-3897

Warnung

EPSS 90.55%
Veröffentlicht 09.10.2013 14:54:25
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle secure@microsoft.com
Teams Watchlist Login
Unerledigt Login

Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Internet Explorer Version6

   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version7

   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Vista Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version8

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows Server 2003 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1
   Microsoft ≫ Windows Vista Version- Updatesp2
   Microsoft ≫ Windows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   Microsoft ≫ Windows Xp Version- Updatesp3

Microsoft ≫ Internet Explorer Version9

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows Server 2008 Version- Updatesp2
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   Microsoft ≫ Windows Vista Version- Updatesp2

Microsoft ≫ Internet Explorer Version10

   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows 8 Version-
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   Microsoft ≫ Windows Server 2012 Version-

Microsoft ≫ Internet Explorer Version11 Update-

   Microsoft ≫ Windows 8.1 Version-
   Microsoft ≫ Windows Rt 8.1 Version-
   Microsoft ≫ Windows Server 2012 Versionr2

03.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Internet Explorer Use-After-Free Vulnerability

Schwachstelle

A use-after-free vulnerability exists within CDisplayPointer in Microsoft Internet Explorer that allows an attacker to remotely execute arbitrary code.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	90.55%	0.996

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx

Vendor Advisory

Broken Link

http://www.us-cert.gov/ncas/alerts/TA13-288A

Third Party Advisory

US Government Resource

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080

Patch

Vendor Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2013-3897

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2013-3897

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2013-3897

EUVD