CVE-2013-7331
published 2014-02-26CVE-2013-7331: The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share…
PriorityP277medium6.5CVSS 3.1
AVNACLPRNUINSUCLINAL
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
58.02%
99.0th percentile
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Microsoft.XMLDOM ActiveX control usage in Internet Explorer that probes local paths, UNC share paths, intranet hostnames, or intranet IPs via error code examination — a key behavioral indicator of CVE-2013-7331 exploitation. ↗
- →Detect exploitation attempts targeting Internet Explorer 8 and Internet Explorer 9 specifically, where the XMLDOM object is used to enumerate filenames on the remote machine from a supplied list of file paths (e.g., c:\windows\system32\calc.exe). ↗
- →Alert on use of res:// protocol handler URLs within Internet Explorer, as this scheme was specifically demonstrated as a vector for the XMLDOM information disclosure. ↗
- →Treat XMLDOM-based file path probing as a potential anti-malware/AV detection evasion technique — attackers leveraged this vulnerability to detect anti-malware applications loaded in memory. ↗
- ·The Metasploit auxiliary module requires an attacker-supplied list of file paths to enumerate; detection should account for high volumes of XMLDOM load attempts against varied local paths such as UNC or system32 paths. ↗
- ·Exploitation is confirmed in the wild as of February 2014 and is listed in CISA KEV; treat unpatched Internet Explorer instances on Windows 8.1 and earlier as actively at risk. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fprc-fr29-2qmp: The Microsoft
ghsa_unreviewed·2022-05-14
CVE-2013-7331 [MEDIUM] CWE-200 GHSA-fprc-fr29-2qmp: The Microsoft
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
VulnCheck
Microsoft Internet Explorer Information Disclosure Vulnerability
vulncheck·2013·CVSS 6.5
CVE-2013-7331 [MEDIUM] CWE-200 Microsoft Internet Explorer Information Disclosure Vulnerability
Microsoft Internet Explorer Information Disclosure Vulnerability
An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This vulnerability could allow an attacker to detect anti-malware applications.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-7331; http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758;
CISA
Microsoft Internet Explorer Information Disclosure Vulnerability
cisa·2022-05-25·CVSS 6.5
CVE-2013-7331 [MEDIUM] CWE-200 Microsoft Internet Explorer Information Disclosure Vulnerability
Vulnerability: Microsoft Internet Explorer Information Disclosure Vulnerability
Affected: Microsoft Internet Explorer
An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This vulnerability could allow an attacker to detect anti-malware applications.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-7331
Remediation Due Date: 2022-06-15
No detection rules found.
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
## Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu , Martin Lee , Emmanuel Tacheau , and Angel Villegas .
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig , Angler and Styx exploit kits and and how they are a serious threat if machines wi
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas.
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig, Angler and Styx exploit kits and and how they are a serious threat if machines with vulnerable third-party software are left un
Talos
Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
blogs_talos·2014-09-09·CVSS 6.5
[MEDIUM] Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
This month’s Microsoft Update Tuesday is pretty light save for the Internet Explorer bulletin. While there’s only a total of 4 bulletins, they cover a total of 42 CVEs. The IE bulletin, as is usual, has the most updates for bugs and is rated critical. It covers a total of 37 CVEs. The other three bulletins are rated as important and provide updates for the remaining five vulnerabilities.
MS14-052 is the IE bulletin and is rated critical. It covers a total of 37 CVEs. Of these 37 CVEs, 36 are remote code execution vulnerabilities, the other one is an information disclosure vulnerability (CVE-2013-7331). This last vulnerability is publicly known and under active exploitation. This vulnerability allows attackers to use Microsoft’s XMLDOM ActiveX object to gain information on local drive and
Talos
Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
blogs_talos·2014-09-09·CVSS 6.5
[MEDIUM] Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
## Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin
This month’s Microsoft Update Tuesday is pretty light save for the Internet Explorer bulletin. While there’s only a total of 4 bulletins, they cover a total of 42 CVEs. The IE bulletin, as is usual, has the most updates for bugs and is rated critical. It covers a total of 37 CVEs. The other three bulletins are rated as important and provide updates for the remaining five vulnerabilities.
MS14-052 is the IE bulletin and is rated critical. It covers a total of 37 CVEs. Of these 37 CVEs, 36 are remote code execution vulnerabilities, the other one is an information disclosure vulnerability ( CVE-2013-7331 ). This last vulnerability is publicly known and under active exploitation. This
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.htmlhttp://www.kb.cert.org/vuls/id/539289http://www.securitytracker.com/id/1030818https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-052https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.htmlhttp://www.kb.cert.org/vuls/id/539289http://www.securitytracker.com/id/1030818https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-052https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-7331
2014-02-26
Published
2022-05-25
Added to CISA KEV
Exploited in the wild