CVE-2013-2551
CVE-2013-2551
In short
Internet Explorer versions 6-10 have a flaw where the browser can access memory that has been freed, allowing attackers to run malicious code through a specially crafted website. This happens because the browser doesn't properly track when an object is deleted.
Technical detail
Use-after-free vulnerability in MSHTML engine affecting IE 6-10; remote attacker can craft HTML/JavaScript that triggers dereferencing of freed memory objects, leading to code execution in the browser context. Requires user to visit malicious website; no authentication or user interaction beyond visiting the site needed.
Summary generated and translated by AI from the official description.
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/26175unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16317https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2551http://twitter.com/thezdi/statuses/309452625173176320http://twitter.com/VUPEN/statuses/309479075385327617http://www.us-cert.gov/ncas/alerts/TA13-134A