Cumulative Security Update for Internet Explorer

2013-02-12 This security update resolves thirteen privately disclosed vulnerabilities in Internet Explorer. These vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.This security update is rated Critical for all supported versions of Internet Explorer. For more information, see the subsection, Affected and Non-Affected Software, in this section.The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. See also the section, Detection and Deployment Tools and Guidance, later in this bulletin. Known Issues. None
Vulnerabilities addressed in this bulletin:

Shift JIS Character Encoding Vulnerability: An information disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
CVE-2013-0015
Internet Explorer SetCapture Remote Code Execution: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0018
Internet Explorer COmWindowProxy Remote Code Execution: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0019
Internet Explorer CMarkup Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0020
Internet Explorer vtable Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0021
Internet Explorer LsGetTrailInfo Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0022
Internet Explorer CDispNode Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0023
Internet Explorer pasteHTML Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0024
Internet Explorer SLayoutRun Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0025
Internet Explorer InsertElement Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0026
Internet Explorer CPasteCommand Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0027
Internet Explorer CObjectElement Use After Free Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0028
Internet ExplorerCHTMLEditor Remote Code Execution Vulnerability: Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2013-0029

Updated

2023-12-07

CVE-2013-0023

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer CDispNode Use After Free Vulnerability."

Max CVSS

9.3

EPSS Score

87.86%

Published

2013-02-13

Updated

2023-12-07

CVE-2013-0024

Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer pasteHTML Use After Free Vulnerability."

Max CVSS

9.3

EPSS Score

87.86%

Published

2013-02-13

Updated

2023-12-07

CVE-2013-0025

Public exploit

Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."

Max CVSS

9.3

EPSS Score

97.26%

Published

2013-02-13

Updated

2018-10-12

CVE-2013-0026

Max CVSS

9.3

EPSS Score

83.44%

Published

2013-02-13

Updated

2023-12-07

CVE-2013-0027

Max CVSS

9.3

EPSS Score

83.44%

Published

2013-02-13

Updated

2018-10-12

CVE-2013-0028

Max CVSS

9.3

EPSS Score

87.86%

Published

2013-02-13

Updated

2018-10-12

CVE-2013-0029

Max CVSS

9.3

EPSS Score

87.86%

Published

2013-02-13

Updated

2023-12-07

MS13-009 Cumulative Security Update for Internet Explorer

Related CVE Entries