Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability

2013-09-25T00:00:00
ID SAINT:A85CFBC6927213488530ECDD18E63DF7
Type saint
Reporter SAINT Corporation
Modified 2013-09-25T00:00:00

Description

Added: 09/25/2013
CVE: CVE-2013-3893
BID: 62453
OSVDB: 97380

Background

Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.

Problem

Microsoft Internet Explorer 6 through 11 contain a use-after-free vulnerability in the SetMouseCapture implementation in the HTML rendering engine (**mshtml.dll**). The vulnerability is triggered by the OnLoseCapture event. A remote attacker that persuades a user to open a specially crafted web page in a vulnerable version of IE could dereference already freed memory and execute arbitrary code via crafted JavaScript strings.

Resolution

See Microsoft Security Advisory 2887505.

References

<http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx>
<http://secunia.com/advisories/54884/>

Limitations

Exploit works on Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). JRE 6 must be installed on Windows 7.

The user must open the exploit in a vulnerable version of Internet Explorer. The chance of successful exploitation is very low against Internet Explorer 8 on Windows 7.

Platforms

Windows