[VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability

George Theall gtheall at tenable.com
Fri Oct 11 15:12:31 CDT 2013 

On Oct 11, 2013, at 3:25 PM, Dinesh Theerthagiri <Dinesh_Theerthagiri at symantec.com> wrote:

> George,
> 
> We are sure yet weather CVE-2013-3871 is related to Memory Corruption Vulnerability types. There could be possibility that this CVE was reserved for some other Vulnerability type for future release, that we are not sure either. There is no much information from MS too.
> 
> They also say that CVE-2013-3871 will be addressed in future release , may in November 2013. 
> 
> http://technet.microsoft.com/en-us/security/bulletin/ms13-080
> 
> In this bulletin they say 
> " V1.3 (October 10, 2013): Bulletin revised to remove CVE-2013-3871 from the vulnerabilities addressed by this update. Including this CVE in the original security bulletin text was a documentation error. CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action."
> 
> Currently, we retired the BID 62802 to avoid more confusion and we'll update based on Microsoft's confirmed information. 

Microsoft's not saying that the CVE might be allocated to some other vulnerability, only that they mistakenly claimed a fix for it had been released as part of MS13-080. 

Mitre has not rejected the CVE either, although that entry still references MS13-080.

Perhaps someone from ZDI can shed some light since, according to an earlier copy of the advisory (http://web.archive.org/web/20131009121613/http:/technet.microsoft.com/en-us/security/bulletin/ms13-080), the CVE is for an issue reported by Simon Zukerbraun working through them.

> 
> Thanks,
> T.Dinesh
> 
> -----Original Message-----
> From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
> Sent: Friday, October 11, 2013 6:43 AM
> To: Vulnerability Information Managers
> Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability
> 
> Dinesh / Narayan / Venkat / Rob : would you help me understand the reasoning for SecurityFocus' retiring BID 62802? This is for the memory corruption vulnerability (CVE-2013-3871) that Microsoft noted was included by mistake in MS13-080 and intends to patch at a later date.  There's still a memory corruption vulnerability regardless of whether it's been patched, right?
> 
> 
> George
> -- 
> theall at tenable.com
> 

George
-- 
theall at tenable.com

More information about the VIM mailing list