[Japanese]

JVNDB-2013-000093

Internet Explorer vulnerable to arbitrary code execution

Overview

Internet Explorer contains a vulnerability that may allow arbitrary code execution.

According to Microsoft, targeted attacks that attempt to exploit this vulnerability have been confirmed but are limited.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Microsoft Corporation
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 7
  • Microsoft Internet Explorer 8
  • Microsoft Internet Explorer 9
  • Microsoft Internet Explorer 10
  • Microsoft Internet Explorer 11

Impact

If a user views a specially crafted web page, an arbitrary code may be executed.
Solution

[Apply an update]
Apply Cumulative Security Update for Internet Explorer (2879017) according to the information provided by Microsoft.
(http://technet.microsoft.com/en-us/security/bulletin/ms13-080)

[Apply a workaround]
The following workarounds may mitigate the affects of this vulnerability.

* Apply Fix it 51001
(https://support.microsoft.com/kb/2887505)
* Apply Enhanced Mitigation Experience Toolkit (EMET)
(https://support.microsoft.com/kb/2458544/en)
* Restrict the execution of ActiveX control and Active Script

For more information, please see "Suggested Actions" of Microsoft Security Advisory (2887505).
(http://technet.microsoft.com/en-us/security/advisory/2887505#section6)
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Resource Management Errors(CWE-399) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2013-3893
References

  1. JVN : JVN#27443259
  2. National Vulnerability Database (NVD) : CVE-2013-3893
  3. IPA SECURITY ALERTS : Security Alert for Internet Explorer (CVE-2013-3893) (in Japanese)
  4. JPCERT REPORT : Vulnerability in Microsoft Internet Explorer in September 2013 (in Japanese)
Revision History

  • [2013/09/19]
      Web page was published
    [2013/09/26]
      Vendor Information : Contents were added
    [2013/10/10]
      Solution was modified
      Vendor Information : Contents were added