CVE-2013-3893
Published: 18 September 2013
Summary
CVE-2013-3893 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability is a use-after-free flaw, identified as CWE-416, in the SetMouseCapture implementation within mshtml.dll that affects Microsoft Internet Explorer versions 6 through 11. It can be triggered by specially crafted JavaScript strings, including cases where an ms-help: URL causes hxds.dll to load.
Remote attackers can exploit the issue by serving malicious web content that executes arbitrary code in the context of the current user when the victim visits the page with a vulnerable browser. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, and no required privileges, with impacts to confidentiality, integrity, and availability.
Microsoft security advisories describe a Fix-It workaround released in September 2013 and confirm that the vulnerability was later addressed in the MS13-080 cumulative update. The same posts note that the flaw was being used in limited, targeted attacks at the time.
Public exploit code for Internet Explorer 8 has since appeared, consistent with the earlier observation of real-world targeted exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3825
Vulnerability details
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
- CWE(s)
- KEV Date Added
- 12 August 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of security updates such as MS13-080 that remove the use-after-free flaw in mshtml.dll.
Restricts or validates execution of mobile code (JavaScript) that is used to trigger the SetMouseCapture use-after-free in IE.
Deploys malicious-code detection mechanisms capable of blocking web content that exploits the ms-help: URL / hxds.dll vector.