CVE-2013-3896
Published: 09 October 2013
Summary
CVE-2013-3896 is a medium-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
Microsoft Silverlight 5 before version 5.1.20913.0 contains an information disclosure vulnerability stemming from improper pointer validation during access to Silverlight elements. The flaw is tracked as CVE-2013-3896 and carries a CVSS 3.1 base score of 5.5, reflecting local attack vector, low complexity, and no privileges required, with the impact limited to high confidentiality loss.
Remote attackers can exploit the issue by supplying a specially crafted Silverlight application that, when rendered by an affected installation, leaks sensitive information from the host system. User interaction is required for successful exploitation, consistent with the need to load the malicious content.
Microsoft addressed the vulnerability in security bulletin MS13-087, and US-CERT alert TA13-288A recommends applying the vendor update to remediate affected Silverlight installations. OVAL definitions are also published to support detection of unpatched systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3828
Vulnerability details
Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application, aka "Silverlight Vulnerability."
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor security update (MS13-087) that corrects the pointer-validation flaw before exploitation occurs.
Restricts or authorizes execution of Silverlight mobile code, blocking the crafted application vector that triggers the information disclosure.
Enforces least functionality by disabling or removing the vulnerable Silverlight component when it is not required, eliminating the attack surface.