CVE-2013-3163
Published: 10 July 2013
Summary
CVE-2013-3163 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
Microsoft Internet Explorer versions 8 through 10 contain a memory corruption vulnerability, tracked as CVE-2013-3163 and also known as the Internet Explorer Memory Corruption Vulnerability. This flaw, distinct from CVE-2013-3144 and CVE-2013-3151, is categorized under CWE-787 and stems from improper handling of crafted web content that can trigger out-of-bounds memory operations. It affects the browser's rendering engine when processing untrusted web pages and carries a CVSS 3.1 score of 8.8.
Remote attackers can exploit the issue by serving a specially crafted website to victims, requiring only that a user visit the page with a vulnerable IE installation. Successful exploitation may result in arbitrary code execution with the privileges of the current user or a denial of service through memory corruption.
Microsoft addressed the vulnerability in security bulletin MS13-055, with corresponding guidance issued by US-CERT in alert TA13-190A; both recommend applying the vendor-supplied updates to affected systems. OVAL definitions are also available to support detection of unpatched installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3101
Vulnerability details
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.
- CWE(s)
- KEV Date Added
- 30 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (MS13-055) that eliminates the memory-corruption flaw in IE 8-10.
Malicious-code protections can block or alert on the crafted web content used to trigger the out-of-bounds write.
Restricts mobile code (scripts, ActiveX, etc.) that IE renders, limiting the attack surface for the crafted-site exploit.