===================================================================== CERT-Renater Note d'Information No. 2013/VULN496 _____________________________________________________________________ DATE : 13/11/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer versions 6, 7, 8, 9, 10, 11. ====================================================================== https://technet.microsoft.com/en-us/security/bulletin/ms13-088 ______________________________________________________________________ Microsoft Security Bulletin MS13-088 - Critical Cumulative Security Update for Internet Explorer (2888505) Published: Tuesday, November 12, 2013 Version: 1.0 General Information Executive Summary This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 on affected Windows clients and Important for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on affected Windows servers. In addition, for Internet Explorer 11 on affected Windows servers, this security update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows Server 2012 Windows RT Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 R2 Windows RT 8.1 Vulnerability Information Internet Explorer Information Disclosure Vulnerability - CVE-2013-3908 An information disclosure vulnerability exists in the way that Internet Explorer handles specially crafted web content when generating print previews. An attacker who successfully exploited this vulnerability could gather information from any page that the victim is viewing. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-3908. Internet Explorer Information Disclosure Vulnerability - CVE-2013-3909 An information disclosure vulnerability exists in the way that Internet Explorer processes CSS special characters. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-3909. Multiple Memory Corruption Vulnerabilities in Internet Explorer Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Vulnerability title CVE number Internet Explorer Memory Corruption Vulnerability CVE-2013-3871 Internet Explorer Memory Corruption Vulnerability CVE-2013-3910 Internet Explorer Memory Corruption Vulnerability CVE-2013-3911 Internet Explorer Memory Corruption Vulnerability CVE-2013-3912 Internet Explorer Memory Corruption Vulnerability CVE-2013-3914 Internet Explorer Memory Corruption Vulnerability CVE-2013-3915 Internet Explorer Memory Corruption Vulnerability CVE-2013-3916 Internet Explorer Memory Corruption Vulnerability CVE-2013-3917 ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================