CVE-2013-0029

Vulnerability

A use-after-free vulnerability exists in the CHTML object of Microsoft Internet Explorer 6 through 9 [1]. The bug allows a remote attacker to trigger access to a deleted object in memory via a crafted web page [2]. Affected versions are Internet Explorer 6, 7, 8, and 9 on Windows clients and servers [1].

Exploitation

An attacker must host a specially crafted web site and convince a user to view it (typically via a link in an email or instant message) [1]. No authentication or special privileges are required; the attacker only needs to craft a page that triggers the use-after-free condition, leading to memory corruption that can be leveraged for code execution [2].

Impact

Successful exploitation allows remote code execution in the context of the current user [1]. An attacker could install programs, view/change/delete data, or create new accounts with full user rights [1]. Users with fewer administrative rights are less impacted than those with administrative privileges [1].

Mitigation

Microsoft released security update MS13-009 (KB2792100) on February 12, 2013, addressing this vulnerability for Internet Explorer 6 through 10 [1]. All affected versions are patched via that cumulative update [1]. Customers with automatic updating enabled received it automatically; manual installation is recommended otherwise [1]. No workaround or KEV listing has been published.