CERT-In Vulnerability Note
CIVN-2013-0214
Use-After-Free Vulnerability in Microsoft Scripting Runtime Object Library
Original Issue Date:December 11, 2013
Severity Rating: HIGH
Systems Affected
- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2(32 & 64 bit)
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista SP2(32 & 64 bit)
- Windows Server 2008 SP2(32 & 64 bit)
- Windows Server 2008 for Itanium-based Systems SP2
- Windows 7 SP1( 32 & 64 bit)
- Windows Server 2008 R2 for x64-based Systems SP1
- Windows Server 2008 R2 for Itanium-based Systems SP1
- Windows 8 (32 & 64 bit)
- Windows 8.1 (32 & 64 bit)
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT
- Windows RT 8.1
- Windows Server 2008 SP2 (32 & 64 bit server core installation)
- Windows Server 2008 R2 SP1 x64 bit (server core installation)
- Windows Server 2012 (server core installation)
- Windows Server 2012 R2 (server core installation)
Component Affected
- Windows Script 5.6, 5.7 and 5.8
Overview
A use after free vulnerability has been reported in Microsoft Scripting Runtime Object Library (scrrun.dll) which could allow a remote attacker to execute arbitrary code on the targeted system with the privileges of logged in user.
Description
This vulnerability exists in Microsoft scripting runtime object library component due to improper handling of memory objects when parsing scripting content. An unauthenticated remote attacker could exploit this vulnerability by convincing a user to visit a specially crafted web page using Internet Explorer or a document that contains malicious scripting content.
Successful exploitation of this vulnerability results in denial of service conditions or execution of arbitrary code with the privileges of the logged in user on the targeted system.
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin
MS13-099
Vendor Information
Microsoft
https://technet.microsoft.com/en-us/security/bulletin/ms13-099
References
Microsoft
https://technet.microsoft.com/en-us/security/bulletin/ms13-099
https://support.microsoft.com/kb/2909158
Secunia
http://secunia.com/advisories/55981
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=31987
Security Focus
http://www.securityfocus.com/bid/64082
CVE Name
CVE-2013-5056
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|