CVE-2013-2551
published 2013-03-11CVE-2013-2551: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers…
PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
74.10%
99.4th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxp://amocy.top/pgioeknieedfacre4rpt6nslpe-8t-ot4b1cm-5ntfmppsn3teeo6aalaaacmnrpkmmpn9eti0n-9a1blr5sepse0coi-elfrplorsepo8or0op3basa7sd1dme9fkiran4mrabecmm/asd.jpeg↗
urlhxxp://amocy.top/pgioeknieedfacre4rpt6nslpe-8t-ot4b1cm-5ntfmppsn3teeo6aalaaacmnrpkmmpn9eti0n-9a1blr5sepse0coi-elfrplorsepo8or0op3basa7sd1dme9fkiran4mrabecmm/rqqjllfd.html↗
urlhxxp://dsa.FAITHFULBUSINESSVENTURES.COM/?zniKfrGbJRvMDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWksXQ-hbbZwIW-5LGQbM8iVn9xrdBec4vwhKKumlRmLgeQFFd↗
urlhxxp://dsa.FAITHFULBUSINESSVENTURES.COM/index.php?zniKfrGbJRvMDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWksXQ-hbbZwIW-5LGQbM8iVn9xrdBec4vwhKKumlRmLgeQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEwi_SxUjJ8kvzFuw↗
- →RIG EK landing page stores exploit scripts in JavaScript variables named 's', Base64-encoded; look for multiple variables all named 's' in obfuscated HTML pages containing VBScript and JavaScript payloads. ↗
- →CVE-2013-2551 exploit in Angler EK targets IE 10; detect by monitoring for VML dashstyle.array manipulation — the exploit sets dashstyle.array.item(0x2E+0x16) to read/write memory and leaks ntdll base address via marginLeft CSS property. ↗
- →CVE-2013-2551 exploit abuses vgx.dll VML dashstyle.array length integer overflow; monitor for abnormal VML shape rendering with large dashstyle array lengths in Internet Explorer. ↗
- →RIG EK gate (EITest) identified by iframe URLs pointing to amocy.top with long path strings; filenames use random strings with extensions from the set: html, htm, jpeg, png, jpg, gif, js. ↗
- →Angler EK uses 302 cushioning and domain shadowing to deliver CVE-2013-2551 IE 10 exploit; look for multi-hop 302 redirect chains terminating at a subdomain-shadowed landing page serving VML exploit content. ↗
- ·Many RIG EK IOCs (URLs, filenames, session parameters) are individualized per victim/session, making static URL or filename signatures unreliable for detection. ↗
- ·Different RIG EK campaigns may use only a single infection stage or substitute different script types (e.g. two VBScripts + one JS instead of the three-variable pattern), reducing reliability of stage-count-based detection. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cxgx-c7c4-5mq4: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-1308 [CRITICAL] CWE-416 GHSA-cxgx-c7c4-5mq4: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1309 and CVE-2013-2551.
GHSA
GHSA-m5j6-8c2h-w4h7: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-2551 [CRITICAL] CWE-416 GHSA-m5j6-8c2h-w4h7: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
GHSA
GHSA-cjgj-38vj-vcrr: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-1309 [CRITICAL] CWE-416 GHSA-cjgj-38vj-vcrr: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-2551.
VulnCheck
Microsoft Internet Explorer Use-After-Free Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-2551 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute remote code via a crafted web site that triggers access to a deleted object.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rig-exploit-kit-diving-deeper-into-the-infrastructure/; https://threatpost.com/cryptolocker-variant-coming-after-gamers/111611/; https://www.oreilly.com/content/threat-intelligence-and-ransomware/; https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/terror-exploit-kit-more-like-error-exploit-kit/; https://blog.malwarebytes.com/cyber
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2022-03-28·CVSS 8.8
CVE-2013-2551 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute remote code via a crafted web site that triggers access to a deleted object.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2551
Remediation Due Date: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)
exploitdb·2013-06-13
CVE-2013-2551 Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)
Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => Rank
})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",
'Description' => %q{
This module exploits an integer overflow vulnerability on Internet Explorer.
The vulnerability exists in the h
Metasploit
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
metasploit
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to bypass ASLR, and by default the info leak is used. To make sure the leak is successful, the ntdll version should be either v6.1.7601.17514 (the default dll version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001). If the target doesn't have the version the exploit wants, it will refuse to attack by sending a fake 404 me
Qualys
The Rise of Ransomware
blogs_qualys·2021-10-05
The Rise of Ransomware
## Table of Contents
Ransomware Infection Vectors
Ransomware Attacks and Exact CVEs To Prioritize for Monitoring
Unified View of Critical Ransomware Risk Exposures
Qualys Ransomware Risk Assessment & Remediation Service
Continuous detection & prioritization for Ransomware-specific vulnerabilities withVMDR
DiscoverandPrioritizeRansomware Vulnerabilities
Discover and Mitigate RansomwareMisconfigurationssuch as SMB, Insecure RDP
Automated Proactive & Reactive Patching for Ransomware vulnerabilities
Ready to Learn more and see for yourself?
Resources
References
With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI’s 2020 Internet Crime Report 2400+ ransomware-related
Zscaler
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
blogs_zscaler·2017-09-12
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
IT threat evolution Q1 2017. Statistics
blogs_securelist·2017-05-22
IT threat evolution Q1 2017. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Vladislav Stolyarov
## Q1 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.
79,209,775 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.
Crypto ransomware attacks were blocked on 240,799 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 174,989,956 unique malicious and pot
Securelist
IT threat evolution Q1 2017. Statistics
blogs_securelist·2017-05-22
IT threat evolution Q1 2017. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
The rise of Trojan-Ransom.AndroidOS.Egat
Revamped ZTorg
Asacub awakens
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile Ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
The TOP 10 banking malware families
Ransomware Trojans
The number of users attacked by ransomware
The geography of attacks
Top 10 countries attacked by cryptors
Top 10 most widespread cryptor families
Top 10 countries where online resources are seeded with malware
Countries where users faced the greatest risk of online infection
Local threats
Talos
Take the RIG Pill: Down the Rabbit Hole
blogs_talos·2016-11-03
Take the RIG Pill: Down the Rabbit Hole
Talos is monitoring the big notorious Exploit Kits(EK) on an ongoing basis. Since Angler disappeared a few month ago, RIG is one EK which seems to be trying to fill the gap Angler has left. We see an ongoing development on RIG. This report gives more details about the complex infection process the adversaries behind RIG are using to infect their victims and how they attempt to bypass security software and devices.
The adversaries are leveraging Gates (e.g. EITest) to redirect the users to their Landing Page. This leads to a chain of redirects, before the victim finally gets on the landing page of the exploit kit. They are using different methods and stages to deliver the malware files. The same malware file often gets written and executed multiple times on the victim's PC. If one method d
Talos
Take the RIG Pill: Down the Rabbit Hole
blogs_talos·2016-11-03
Take the RIG Pill: Down the Rabbit Hole
## Take the RIG Pill: Down the Rabbit Hole
Talos is monitoring the big notorious Exploit Kits(EK) on an ongoing basis. Since Angler disappeared a few month ago, RIG is one EK which seems to be trying to fill the gap Angler has left. We see an ongoing development on RIG . This report gives more details about the complex infection process the adversaries behind RIG are using to infect their victims and how they attempt to bypass security software and devices. The adversaries are leveraging Gates (e.g. EITest) to redirect the users to their Landing Page. This leads to a chain of redirects, before the victim finally gets on the landing page of the exploit kit. They are using different methods and stages to deliver the malware files. The same malware file often gets written and executed multip
Zscaler
Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
blogs_zscaler·2016-01-12·CVSS 9.8
[CRITICAL] Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Angler EK Utilizing 302 Cushioning & Domain Shadowing | Blog
blogs_zscaler·2015-04-03·CVSS 7.8
[HIGH] Angler EK Utilizing 302 Cushioning & Domain Shadowing | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
## Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu , Martin Lee , Emmanuel Tacheau , and Angel Villegas .
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig , Angler and Styx exploit kits and and how they are a serious threat if machines wi
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas.
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig, Angler and Styx exploit kits and and how they are a serious threat if machines with vulnerable third-party software are left un
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-14-2013
blogs_zscaler·CVSS 4.3
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 05-14-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
## Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit , was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest , the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
## Click image for
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://twitter.com/VUPEN/statuses/309479075385327617http://twitter.com/thezdi/statuses/309452625173176320http://www.us-cert.gov/ncas/alerts/TA13-134Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16317http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://twitter.com/VUPEN/statuses/309479075385327617http://twitter.com/thezdi/statuses/309452625173176320http://www.us-cert.gov/ncas/alerts/TA13-134Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16317https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2551
2013-03-11
Published
2022-03-28
Added to CISA KEV
Exploited in the wild