CVE-2013-3163
published 2013-07-10CVE-2013-3163: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
70.68%
99.3th percentile
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2013-3163 exploit Flash ActionScript contains unused variables 'org' (originally used as trigger string) and 'found' (flag for Vector object modification) — their presence in a Flash file is a fingerprint of this exploit family. ↗
- →CVE-2013-3163 exploit Flash ROP chain setup uses negative array indexing starting at -2 (e.g., index -2 and -1 relative to a base), which is unusual and a strong behavioral fingerprint. ↗
- →ZxShell (dropped via CVE-2013-3163) creates a service with a name derived from the netsvc group and uses the pattern 'netsvc_xxxxxxxx' (8-digit random hex) as a fallback service name — monitor for new services matching this pattern. ↗
- →CVE-2013-3163 Metasploit module targets the CAnchorElement Use-After-Free in IE8 standards mode via a malformed table tree (CPhraseElement after CTableRow); the crash occurs in mshtml!CElement::Doc at the SecurityContext virtual function at offset +0x70. ↗
- →Detect Flash vector object length inconsistency at runtime: if the sum of all allocated vector object lengths does not match actual memory allocation, a vector length field may have been corrupted by CVE-2013-3163 exploitation. ↗
- ·CVE-2013-3163 exploitation is specific to Internet Explorer 8 only (standards mode); the CAnchorElement Use-After-Free does not affect IE9 or later. ↗
- ·The exploit requires both an HTML component (to set up the page) and a Flash file (to build memory layout and trigger the bug); neither part alone is sufficient to reproduce the attack. ↗
- ·ZxShell hides itself from the host process module list after installation by freeing and re-copying its DLL buffer, making standard process enumeration tools ineffective for detection. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Internet Explorer Memory Corruption Vulnerability
cisa·2023-03-30·CVSS 8.8
CVE-2013-3163 [HIGH] CWE-94 Microsoft Internet Explorer Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause a denial of service via a crafted website.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055; https://nvd.nist.gov/vuln/detail/CVE-2013-3163
Remediation Due Date: 2023-04-20
GHSA
GHSA-9pqv-9r37-hxh7: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-3163 [CRITICAL] CWE-787 GHSA-9pqv-9r37-hxh7: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.
GHSA
GHSA-c8qc-c83f-7w46: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-3144 [CRITICAL] CWE-94 GHSA-c8qc-c83f-7w46: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3151 and CVE-2013-3163.
GHSA
GHSA-mm9g-wfxq-fxg2: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2013-3151 [CRITICAL] CWE-94 GHSA-mm9g-wfxq-fxg2: Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3163.
VulnCheck
Microsoft Internet Explorer Memory Corruption Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-3163 [HIGH] CWE-94 Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer Memory Corruption Vulnerability
Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause a denial of service via a crafted website.
Affected: Microsoft Internet Explorer
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://blogs.cisco.com/security/talos/opening-zxshell; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2023-04-20
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)
exploitdb·2013-09-10
CVE-2013-4015 Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)
Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",
'Description' => %q{
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
t
Metasploit
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
metasploit
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
## Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi , Douglas Goddard , Shaun Hurley , and Alain Zidouemba .
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the ta
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba.
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the targets network.
ZxShell (aka Sensocode) is a Remote Admi
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
In February, Microsoft awarded $100,000 to Yu Yang (@Tombkeeper) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program. Yu later demonstrated his research at CanSecWest in March. In his slides, he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen (@guhe120), a Chinese researcher, posted his answer. Although the code was removed soon after posting, a copy was still maintained and used by Metasploit. Following this code, another researcher posted his VB script version using more advanced tech
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
## How To Defend Against Advanced IE Exploitation
IPS Team
Published: June 6, 2014
Malware
Threat Research
ActiveX
Flash
Internet Explorer
IPS
Microsoft
Use after free
In February, Microsoft awarded $100,000 to Yu Yang ( @Tombkeeper ) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program . Yu later demonstrated his research at CanSecWest in March. In his slides , he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen ( @guhe120 ), a Chinese researcher, posted his answer. Although
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
### Summary
- The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163.
- The shared techniques, variable names and code structure suggest these exploits share a common author or template.
- Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full control over the system after a user views a web page in their browser. According to Microsoft, it affects versions of Internet Explorer from version 6 to 11, meaning that almost all IE users are vulnerable to this bug
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
## A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
Bo Qu
Published: May 2, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Internet Explorer
Microsoft
## Summary
The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163 .
The shared techniques, variable names and code structure suggest these exploits share a common author or template.
Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full contr
Zscaler
Zscaler found Multiple Security Vulnerabilities | 07-09-2013
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 07-09-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17363http://www.us-cert.gov/ncas/alerts/TA13-190Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17363https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3163
2013-07-10
Published
2023-03-30
Added to CISA KEV
Exploited in the wild