CVE-2013-3166

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Microsoft Internet Explorer 6 through 10 due to incorrect auto-selection of the Shift JIS character encoding [1]. This encoding mishandling allows an attacker to inject arbitrary web script or HTML, leading to cross-domain scrolling events, a variant of CVE-2013-0015 [1]. Affected versions include IE 6, 7, 8, 9, and 10 on Windows clients and servers [1][2].

Exploitation

An attacker can exploit this flaw by hosting a specially crafted webpage that triggers the incorrect encoding selection when rendered in Internet Explorer [1]. The attacker does not require authentication or special network access beyond hosting a website; user interaction is required if the victim visits the malicious page (or an attacker-controlled content served via a compromised site) [1]. The exploitation vector is via cross-domain scrolling events, which bypass the same-origin policy when the Shift JIS encoding is auto-selected [1].

Impact

Successful exploitation allows remote arbitrary script execution in the context of the victim's browser session, potentially leading to disclosure of sensitive data, session hijacking, or redirection to malicious sites [1]. The attacker gains no direct system-level privileges, but can perform actions as the user in the affected domain [1].

Mitigation

Microsoft released security bulletin MS13-055 on July 9, 2013, providing cumulative update 2846071 that addresses this vulnerability and others [1]. The update is rated Critical for Windows clients and Moderate for Windows servers [1]. Automatic updating applies the fix by default [1]. Administrators should apply the update via Windows Update or WSUS [2]. No workaround is documented for unpatched systems [1][2].