Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability

2013-09-2500:00:00

SAINT Corporation

my.saintcorporation.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.965

Percentile

99.6%

JSON

Added: 09/25/2013
CVE: CVE-2013-3893
BID: 62453
OSVDB: 97380

Background

Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.

Problem

Microsoft Internet Explorer 6 through 11 contain a use-after-free vulnerability in the SetMouseCapture implementation in the HTML rendering engine (**mshtml.dll**). The vulnerability is triggered by the OnLoseCapture event. A remote attacker that persuades a user to open a specially crafted web page in a vulnerable version of IE could dereference already freed memory and execute arbitrary code via crafted JavaScript strings.

Resolution

See Microsoft Security Advisory 2887505.

References

<http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx>
<http://secunia.com/advisories/54884/>

Limitations

Exploit works on Microsoft Internet Explorer 8 and 9 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). JRE 6 must be installed on Windows 7.

The user must open the exploit in a vulnerable version of Internet Explorer. The chance of successful exploitation is very low against Internet Explorer 8 on Windows 7.