Published:2013/09/19  Last Updated:2013/10/17

JVN#27443259
Internet Explorer vulnerable to arbitrary code execution
Critical

Overview

Internet Explorer contains a vulnerability that may allow arbitrary code execution.

Products Affected

  • Microsoft Internet Explorer 6.0
  • Windows Internet Explorer 7
  • Windows Internet Explorer 8
  • Windows Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11

Description

Internet Explorer contains a vulnerability that may allow arbitrary code execution.

According to Microsoft, targeted attacks that attempt to exploit this vulnerability have been confirmed but are limited.

Impact

If a user views a specially crafted web page, an arbitrary code may be executed.

Solution

Apply an update
Apply Cumulative Security Update for Internet Explorer (2879017) according to the information provided by Microsoft.

Apply a workaround
The following workarounds may mitigate the affects of this vulnerability.

For more information, please see "Suggested Actions" of Microsoft Security Advisory (2887505).

Vendor Status

Vendor Status Last Update Vendor Notes
Microsoft Japan Co.,Ltd. vulnerable 2013/10/17 Microsoft Japan Co.,Ltd. website

References

  1. US-CERT Alert (TA13-288A)
    Microsoft Updates for Multiple Vulnerabilities

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2013.09.19  Critical

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity large amount of expertise and/or luck required (BIOS expertise, guessing correctly in a large space)
  • Low

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2013-3893
JVN iPedia JVNDB-2013-000093

Update History

2013/09/19
URL for Enhanced Mitigation Experience Toolkit (EMET) under the section "Solution" was updated.
2013/10/09
Information under the section "Solution" was updated.
2013/10/16
Information under the section "References" was updated.
2013/10/17
Microsoft Japan Co.,Ltd. update status