CVE-2013-2551
Published: 11 March 2013
Summary
CVE-2013-2551 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Xp. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a use-after-free flaw, tracked as CWE-416, that affects Microsoft Internet Explorer versions 6 through 10. It occurs when the browser accesses an object after it has been deleted, enabling memory corruption that can be leveraged for code execution. The issue was assigned CVE-2013-2551 and is distinct from the related use-after-free problems reported as CVE-2013-1308 and CVE-2013-1309.
Remote attackers can exploit the flaw by serving a specially crafted web page that triggers the use-after-free condition. Successful exploitation grants arbitrary code execution in the context of the current user, with a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly demonstrated by VUPEN researchers during the Pwn2Own contest at CanSecWest 2013.
Microsoft addressed the issue in security bulletin MS13-037, and US-CERT alert TA13-134A recommends applying the vendor updates. Additional details on the demonstration appear in contemporaneous reports from HP Security Research and Zero Day Initiative.
The flaw was shown to be exploitable in a contest setting but no further real-world exploitation details are provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-2493
Vulnerability details
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka…
more
"Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches such as MS13-037 to eliminate the use-after-free flaw before exploitation.
Implements memory-protection safeguards that block unauthorized code execution arising from use-after-free memory corruption in the browser.
Establishes usage restrictions and controls on mobile code (scripts/active content) delivered by crafted web pages that trigger the vulnerability.