Vulnerability Description
Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Internet Explorer | 6 |
| Microsoft | Windows Server 2003 | - |
| Microsoft | Windows Xp | - |
| Microsoft | Windows Server 2008 | - |
| Microsoft | Windows Vista | - |
| Microsoft | Windows 7 | - |
| Microsoft | Windows 8 | - |
| Microsoft | Windows Server 2012 | - |
| Microsoft | Windows 8.1 | - |
| Microsoft | Windows Rt 8.1 | - |
Related Weaknesses (CWE)
References
- http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulneraBroken LinkVendor Advisory
- http://www.us-cert.gov/ncas/alerts/TA13-288AThird Party AdvisoryUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-08PatchVendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Broken Link
- http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulneraBroken LinkVendor Advisory
- http://www.us-cert.gov/ncas/alerts/TA13-288AThird Party AdvisoryUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-08PatchVendor Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Broken Link
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-US Government Resource
FAQ
What is CVE-2013-3897?
CVE-2013-3897 is a vulnerability with a CVSS score of 8.8 (HIGH). Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memo...
How severe is CVE-2013-3897?
CVE-2013-3897 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-3897?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Internet Explorer, Microsoft Windows Server 2003, Microsoft Windows Xp, Microsoft Windows Server 2008, Microsoft Windows Vista.