CVE-2013-3897
published 2013-10-09CVE-2013-3897: Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
77.46%
99.5th percentile
Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets MSIE 8.0 User-Agent combined with 'ko' (Korean) or 'ja' (Japanese) systemLanguage; the malicious JavaScript deactivates itself if these conditions are not met. ↗
- →Exploit JavaScript uses multiple calls to Math.atan2() with string parameters as a debugging/anti-analysis technique; presence of Math.atan2() calls with string arguments in obfuscated JS is a behavioral indicator. ↗
- →The vulnerability is triggered via the 'onpropertychange' event handler on a DOM tree where a CBlockElement follows a CTextArea element; monitor for suspicious use of onpropertychange in conjunction with select() and node swaps. ↗
- →The exploit leverages a ROP chain from hxds.dll (MS Help Data Services Module, installed with Microsoft Office); presence of hxds.dll in IE process ROP gadget chains is a strong indicator of exploitation. ↗
- →The CDisplayPointer object is a 0x48-byte HeapAlloc; heap spray or use-after-free crash signatures involving a 0x48-byte freed object in mshtml.dll are indicative of this exploit. ↗
- →Exploit was originally found on a public JavaScript unpacker site; monitor threat intel feeds and JS unpacker/deobfuscator sites for malicious IE exploit samples targeting East Asian language users. ↗
- ·Exploit is specifically targeted at IE8 on Windows XP with Korean ('ko') or Japanese ('ja') system language; exploitation against other IE versions or language configurations was not observed in the wild for this sample. ↗
- ·The Snort/Talos TRUFFLE rules (SIDs 28091 & 28092) were initially private/obfuscated; public coverage was later released as SIDs 28207 & 28208. Ensure the public SIDs are deployed rather than relying on TRUFFLE-only coverage. ↗
- ·The ROP chain in the working exploit relies on hxds.dll being present (installed with Microsoft Office); systems without Office may not be exploitable via this specific ROP chain, but other gadget sources may apply. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cv5-x27q-h8hq: Use-after-free vulnerability in the CDisplayPointer class in mshtml
ghsa_unreviewed·2022-05-14
CVE-2013-3897 [HIGH] CWE-416 GHSA-5cv5-x27q-h8hq: Use-after-free vulnerability in the CDisplayPointer class in mshtml
Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."
VulnCheck
Microsoft Internet Explorer Use-After-Free Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-3897 [HIGH] CWE-399 Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
A use-after-free vulnerability exists within CDisplayPointer in Microsoft Internet Explorer that allows an attacker to remotely execute arbitrary code.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-3897; https://www.recordedfuture.com/russian-apt-toolkits; https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.logpoint.com/wp-content/uploads/2024/06/logpoint-etpr-forest-blizzard.pdf
Remediation Due: 2022-03-24
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2022-03-03·CVSS 8.8
CVE-2013-3897 [HIGH] CWE-399 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
A use-after-free vulnerability exists within CDisplayPointer in Microsoft Internet Explorer that allows an attacker to remotely execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3897
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)
exploitdb·2013-10-15·CVSS 8.8
CVE-2013-3897 [HIGH] Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)
Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally
found being exploited in
Metasploit
MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
metasploit·CVSS 8.8
CVE-2013-3893 [HIGH] MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object w
Krebs
Adobe, Microsoft Push Critical Security Fixes
blogs_krebs·2013-10-08·CVSS 8.8
[HIGH] Adobe, Microsoft Push Critical Security Fixes
Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.
Four of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.
Front and center in the Microsoft patch batch
Talos
IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
blogs_talos·2013-10-08·CVSS 8.8
CVE-2013-3897 [HIGH] IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
## IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
A little over a week ago the VRT discovered a very interesting bit of javascript on a popular JS unpacker site. Several things immediately piqued our interest in this sample. First of all, we found multiple calls to Math.atan2() with curious parameters:
This is a popular technique used in debugging exploits. A breakpoint can be set in the following way:
So that later on when the exploit is ran, windbg will print out the second parameter of Math.atan2 calls, in the case above "after gc". Further inspection of the sample revealed that it checks the systemLanguage of the browser and deactivates itself if it doesn't find MSIE 8.0 in the User-Agent combined with either "ko" or "ja" system languages:
We suspect that
Talos
Microsoft Update Tuesday October 2013: Another IE 0-day release
blogs_talos·2013-10-08·CVSS 9.3
CVE-2013-3893 [CRITICAL] Microsoft Update Tuesday October 2013: Another IE 0-day release
This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.
First, let's take a look at the 4 critical bulletins:
The most important update this month is a cumulative update for IE (MS13-080), which fixes 10 CVE issues, 2 of which have already been exploited by attackers. The first 0-day that's being fixed was widely reported and exploited (CVE-2013-3893). The second one (CVE-2013-3897) was also exploited on the web, but in a more targeted manner. We have a blog post concerning this vulnerability here. Most of the issues fixed in this bulletin are the result of use-after-free vulnerabilities.
The second bulletin (MS13-081) covers Windows Kernel Mode Drivers. One particularly i
Talos
Microsoft Update Tuesday October 2013: Another IE 0-day release
blogs_talos·2013-10-08·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday October 2013: Another IE 0-day release
## Microsoft Update Tuesday October 2013: Another IE 0-day release
This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.
First, let's take a look at the 4 critical bulletins:
The most important update this month is a cumulative update for IE ( MS13-080 ), which fixes 10 CVE issues, 2 of which have already been exploited by attackers. The first 0-day that's being fixed was widely reported and exploited ( CVE-2013-3893 ). The second one ( CVE-2013-3897 ) was also exploited on the web, but in a more targeted manner. We have a blog post concerning this vulnerability here . Most of the issues fixed in this bulletin are the result of use-after-free vulnerabilities.
The second
Talos
IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
blogs_talos·2013-10-08·CVSS 8.8
CVE-2013-3897 [HIGH] IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
A little over a week ago the VRT discovered a very interesting bit of javascript on a popular JS unpacker site. Several things immediately piqued our interest in this sample. First of all, we found multiple calls to Math.atan2() with curious parameters:
This is a popular technique used in debugging exploits.
A breakpoint can be set in the following way:
So that later on when the exploit is ran, windbg will print out the second parameter of Math.atan2 calls, in the case above "after gc". Further inspection of the sample revealed that it checks the systemLanguage of the browser and deactivates itself if it doesn't find MSIE 8.0 in the User-Agent combined with either "ko" or "ja" system languages:
We suspect that the "ko" or "js" language packs were intended targets for ROP exploitation. A
Krebs
Adobe, Microsoft Push Critical Security Fixes – Krebs on Security
blogs_krebs·2013-10-01·CVSS 8.8
[HIGH] Adobe, Microsoft Push Critical Security Fixes – Krebs on Security
Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader .
Four of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint , .NET Framework , Office and Silverlight .
Front and center in the Microsoft patch ba
Recorded Future
Running for Office: Russian APT Toolkits Revealed
blogs_recorded_future·CVSS 8.8
[HIGH] Running for Office: Russian APT Toolkits Revealed
# Running for Office: Russian APT Toolkits Revealed
### Analysis Summary
- Russian APTs regularly target Microsoft products with 55% of exploited vulnerabilities targeting versions of Office, Windows, and Internet Explorer products. Targeting widely adopted software provides the path of least resistance for a state-sponsored actor.
- Microsoft Office vulnerability targeting is in line with heavy use of spear phishing by Russian actors including APT28. Decoy (lure) attachments are often Excel files or Word documents.
- APT28, associated by many with Russian military intelligence (GRU), has 22 known exploited vulnerabilities in its toolkit. Seven of these vulnerabilities have no available public exploit.
- APT29, associated by many with the Russian Federal Security Service (FSB), utilizes
Recorded Future
Running for Office: Russian APT Toolkits Revealed | Recorded Future
blogs_recorded_future·CVSS 8.8
[HIGH] Running for Office: Russian APT Toolkits Revealed | Recorded Future
## Running for Office: Russian APT Toolkits Revealed
## Analysis Summary
Russian APTs regularly target Microsoft products with 55% of exploited vulnerabilities targeting versions of Office, Windows, and Internet Explorer products. Targeting widely adopted software provides the path of least resistance for a state-sponsored actor.
Microsoft Office vulnerability targeting is in line with heavy use of spear phishing by Russian actors including APT28. Decoy (lure) attachments are often Excel files or Word documents.
APT28, associated by many with Russian military intelligence (GRU), has 22 known exploited vulnerabilities in its toolkit. Seven of these vulnerabilities have no available public exploit.
APT29, associated by many with the Russian Federal Security Service (FSB), utilizes five
Zscaler
Zscaler Protects against Memory Corruption in IE
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Memory Corruption in IE
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspxhttp://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspxhttp://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3897
2013-10-09
Published
2022-03-03
Added to CISA KEV
Exploited in the wild