Published:2013/09/19 Last Updated:2013/10/17
JVN#27443259
Internet Explorer vulnerable to arbitrary code execution
Critical
Overview
Internet Explorer contains a vulnerability that may allow arbitrary code execution.
Products Affected
- Microsoft Internet Explorer 6.0
- Windows Internet Explorer 7
- Windows Internet Explorer 8
- Windows Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
Description
Internet Explorer contains a vulnerability that may allow arbitrary code execution.
According to Microsoft, targeted attacks that attempt to exploit this vulnerability have been confirmed but are limited.
Impact
If a user views a specially crafted web page, an arbitrary code may be executed.
Solution
Apply an update
Apply Cumulative Security Update for Internet Explorer (2879017) according to the information provided by Microsoft.
Apply a workaround
The following workarounds may mitigate the affects of this vulnerability.
- Apply Fix it 51001
- Apply Enhanced Mitigation Experience Toolkit (EMET)
- Restrict the execution of ActiveX control and Active Script
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Microsoft Japan Co.,Ltd. | vulnerable | 2013/10/17 | Microsoft Japan Co.,Ltd. website |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2013.09.19 Critical
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | large amount of expertise and/or luck required (BIOS expertise, guessing correctly in a large space) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2013-3893 |
| JVN iPedia |
JVNDB-2013-000093 |
Update History
- 2013/09/19
- URL for Enhanced Mitigation Experience Toolkit (EMET) under the section "Solution" was updated.
- 2013/10/09
- Information under the section "Solution" was updated.
- 2013/10/16
- Information under the section "References" was updated.
- 2013/10/17
- Microsoft Japan Co.,Ltd. update status