CVE-2013-3195
published 2013-10-09CVE-2013-3195: The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
38.48%
98.4th percentile
The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted value in an argument to an ASP.NET web application, aka "Comctl32 Integer Overflow Vulnerability."
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Update Tuesday October 2013: Another IE 0-day release
blogs_talos·2013-10-08·CVSS 9.3
CVE-2013-3893 [CRITICAL] Microsoft Update Tuesday October 2013: Another IE 0-day release
This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.
First, let's take a look at the 4 critical bulletins:
The most important update this month is a cumulative update for IE (MS13-080), which fixes 10 CVE issues, 2 of which have already been exploited by attackers. The first 0-day that's being fixed was widely reported and exploited (CVE-2013-3893). The second one (CVE-2013-3897) was also exploited on the web, but in a more targeted manner. We have a blog post concerning this vulnerability here. Most of the issues fixed in this bulletin are the result of use-after-free vulnerabilities.
The second bulletin (MS13-081) covers Windows Kernel Mode Drivers. One particularly i
Talos
Microsoft Update Tuesday October 2013: Another IE 0-day release
blogs_talos·2013-10-08·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday October 2013: Another IE 0-day release
## Microsoft Update Tuesday October 2013: Another IE 0-day release
This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.
First, let's take a look at the 4 critical bulletins:
The most important update this month is a cumulative update for IE ( MS13-080 ), which fixes 10 CVE issues, 2 of which have already been exploited by attackers. The first 0-day that's being fixed was widely reported and exploited ( CVE-2013-3893 ). The second one ( CVE-2013-3897 ) was also exploited on the web, but in a more targeted manner. We have a blog post concerning this vulnerability here . Most of the issues fixed in this bulletin are the result of use-after-free vulnerabilities.
The second
http://blogs.technet.com/b/srd/archive/2013/10/08/assessing-risk-for-the-october-2013-security-updates.aspxhttp://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-083https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18715http://blogs.technet.com/b/srd/archive/2013/10/08/assessing-risk-for-the-october-2013-security-updates.aspxhttp://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-083https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18715
2013-10-09
Published