Cyber Resilience

CVE-2013-3163

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 July 2013

Published
10 July 2013
Modified
22 April 2026
KEV Added
30 March 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8455 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-3163 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

Microsoft Internet Explorer versions 8 through 10 contain a memory corruption vulnerability, tracked as CVE-2013-3163 and also known as the Internet Explorer Memory Corruption Vulnerability. This flaw, distinct from CVE-2013-3144 and CVE-2013-3151, is categorized under CWE-787 and stems from improper handling of crafted web content that can trigger out-of-bounds memory operations. It affects the browser's rendering engine when processing untrusted web pages and carries a CVSS 3.1 score of 8.8.

Remote attackers can exploit the issue by serving a specially crafted website to victims, requiring only that a user visit the page with a vulnerable IE installation. Successful exploitation may result in arbitrary code execution with the privileges of the current user or a denial of service through memory corruption.

Microsoft addressed the vulnerability in security bulletin MS13-055, with corresponding guidance issued by US-CERT in alert TA13-190A; both recommend applying the vendor-supplied updates to affected systems. OVAL definitions are also available to support detection of unpatched installations.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.

CWE(s)
KEV Date Added
30 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 8, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (MS13-055) that eliminates the memory-corruption flaw in IE 8-10.

preventdetect

Malicious-code protections can block or alert on the crafted web content used to trigger the out-of-bounds write.

SC-18 Mobile Code partial match
prevent

Restricts mobile code (scripts, ActiveX, etc.) that IE renders, limiting the attack surface for the crafted-site exploit.

References