CVE-2013-0074
Published: 13 March 2013
Summary
CVE-2013-0074 is a high-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
Microsoft Silverlight 5 and the Silverlight 5 Developer Runtime, prior to version 5.1.20125.0, contain a double dereference vulnerability stemming from improper pointer validation during HTML object rendering. The flaw is tracked as CVE-2013-0074 and carries a CVSS 3.1 base score of 7.8.
Remote attackers can exploit the issue by serving a crafted Silverlight application that triggers the pointer mishandling when rendered in a browser. Successful exploitation grants arbitrary code execution with the privileges of the current user, requiring only that the victim open or view the malicious content.
Microsoft security bulletin MS13-022 and the associated US-CERT alert TA13-071A direct administrators to install the vendor-supplied update that advances Silverlight to 5.1.20125.0 or later; the bulletin also lists detection logic published in OVAL definitions for enterprise scanning. No additional real-world exploitation details are provided in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0117
Vulnerability details
Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that upgrades Silverlight to 5.1.20125.0 and eliminates the double-dereference flaw.
Requires policy, technical controls, and monitoring over mobile code (Silverlight) to block execution of untrusted or crafted applications.
Enforces least functionality by disabling or restricting Silverlight where it is not explicitly required, eliminating the attack surface.