Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Thirteen Critical Vulnerabilities Reported In Internet Explorer


( Microsoft Security Bulletin MS13-009 )

Summary


Thirteen critical "use-after-free" vulnerabilities have been reported in Microsoft Internet Explorer. Successful exploitation of any of these issues could allow a remote attacker to execute arbitrary code on a targeted machine. The Check Point IPS Software Blade protects unpatched systems against all of these vulnerabilities.

Details


Multiple remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Solution

Check Point recommends deploying the updates described in MS13-009 as soon as is practical. In the meantime, the Check Point IPS Software Blade protects unpatched systems against these issues in the latest IPS update by detecting and blocking attempts to open malicious HTML files.

Please consult the following table for the brief descriptions of each vulnerability, the associated CVE number, and the applicable Check Point Protection. Each protection link includes information on the versions of Internet Explorer that are affected by a particular vulnerability.

Internet Explorer VulnerabilityIndustry ReferenceCheck Point Protection
SLayoutRun Use After Free CVE-2013-0025 CPAI-2013-075
CPasteCommand Use After Free CVE-2013-0027 CPAI-2013-076
CObjectElement Use After Free CVE-2013-0028 CPAI-2013-077
CHTML Use After Free CVE-2013-0029 CPAI-2013-078
SetCapture Use After Free CVE-2013-0018 CPAI-2013-079
CMarkup Use After Free CVE-2013-0020 CPAI-2013-080
pasteHTML Use After Free CVE-2013-0024 CPAI-2013-081
CDispNode Use After Free CVE-2013-0023 CPAI-2013-1052
vtable Use After Free Memory Corruption CVE-2013-0021 CPAI-2013-1079
 LsGetTrailInfo Use After Free CVE-2013-0022 CPAI-2013-1266
COmWindowProxy Use After Free CVE-2013-0019 CPAI-2013-1267
Shift JIS Character Encoding  CVE-2013-0015 CPAI-2013-380
InsertElement Use After Free CVE-2013-0026 CPAI-2013-381

 

Originally Published:

Last Updated: 21-Feb-2013

Legal Notice for Threat Center Advisories