Thirteen Critical Vulnerabilities Reported In Internet Explorer
( Microsoft Security Bulletin MS13-009 )
Thirteen critical "use-after-free" vulnerabilities have been reported in Microsoft Internet Explorer. Successful exploitation of any of these issues could allow a remote attacker to execute arbitrary code on a targeted machine. The Check Point IPS Software Blade protects unpatched systems against all of these vulnerabilities.
Multiple remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Check Point recommends deploying the updates described in MS13-009 as soon as is practical. In the meantime, the Check Point IPS Software Blade protects unpatched systems against these issues in the latest IPS update by detecting and blocking attempts to open malicious HTML files.
Please consult the following table for the brief descriptions of each vulnerability, the associated CVE number, and the applicable Check Point Protection. Each protection link includes information on the versions of Internet Explorer that are affected by a particular vulnerability.
|Internet Explorer Vulnerability||Industry Reference||Check Point Protection|
|SLayoutRun Use After Free||CVE-2013-0025||CPAI-2013-075|
|CPasteCommand Use After Free||CVE-2013-0027||CPAI-2013-076|
|CObjectElement Use After Free||CVE-2013-0028||CPAI-2013-077|
|CHTML Use After Free||CVE-2013-0029||CPAI-2013-078|
|SetCapture Use After Free||CVE-2013-0018||CPAI-2013-079|
|CMarkup Use After Free||CVE-2013-0020||CPAI-2013-080|
|pasteHTML Use After Free||CVE-2013-0024||CPAI-2013-081|
|CDispNode Use After Free||CVE-2013-0023||CPAI-2013-1052|
|vtable Use After Free Memory Corruption||CVE-2013-0021||CPAI-2013-1079|
|LsGetTrailInfo Use After Free||CVE-2013-0022||CPAI-2013-1266|
|COmWindowProxy Use After Free||CVE-2013-0019||CPAI-2013-1267|
|Shift JIS Character Encoding||CVE-2013-0015||CPAI-2013-380|
|InsertElement Use After Free||CVE-2013-0026||CPAI-2013-381|
Last Updated: 21-Feb-2013