SAINT CorporationSAINT:530FA87FA097C35D9629E058CE3C1589Internet Explorer CGenericElement Object Use-after-free Vulnerability
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Added: 05/08/2013
CVE: CVE-2013-1347
BID: 59641
OSVDB: 92993
Background
Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.
Problem
When Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects.
Resolution
Apply the patch referenced in Microsoft Security Bulletin 13-028.
References
<http://technet.microsoft.com/en-us/security/advisory/2847140>
<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>
Limitations
This exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).
Successful exploit on Windows 7 requires that JRE 6 be installed.
Platforms
Windows
Related
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%