Search
On this page ▾
CVE-2013-0074 — Microsoft Silverlight Double Dereference Vulnerability

CVE-2013-0074

Microsoft Silverlight — Double Pointer Dereference in HTML Rendering Enables Drive-By RCE, Exploited by Ransomware Kits
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Microsoft Silverlight?

Microsoft Silverlight was a browser plugin similar in purpose to Adobe Flash — it enabled rich interactive applications in web pages, including video streaming, animations, and data visualizations. Silverlight was particularly used by Netflix (until 2016) and some enterprise line-of-business applications. Like Flash, its browser plugin integration created attack surface exploitable through drive-by downloads. Microsoft ended support for Silverlight on October 12, 2021.

Overview

CVE-2013-0074 is a double pointer dereference vulnerability in Microsoft Silverlight's HTML object rendering engine. The flaw arises from improper validation of pointers when processing HTML objects within a Silverlight application — following a freed or invalid pointer a second time leads to memory corruption and allows arbitrary code execution.

Despite the "Local" CVSS attack vector, the vulnerability was exploited via drive-by download: a Silverlight application embedded in a web page triggers the vulnerability when rendered in the browser. The "Local" designation reflects that Silverlight plugin content renders in the local browser process context.

Microsoft patched this in Security Bulletin MS13-022 on March 12, 2013.

Affected Versions

Product Affected Fixed
Microsoft Silverlight 5 prior to 5.1.20125.0 Yes 5.1.20125.0 (MS13-022)
Microsoft Silverlight 5 Developer Runtime prior to 5.1.20125.0 Yes MS13-022

Technical Details

A double dereference vulnerability occurs when a pointer to freed or invalid memory is dereferenced twice. In Silverlight's HTML rendering, an object pointer could become invalid during rendering operations; the code then dereferenced this invalid pointer a second time, causing memory corruption. Depending on heap state, this corruption could be leveraged into reliable code execution by an attacker who controls the Silverlight application content.

Attack delivery: A malicious website hosting a Silverlight application (.xap file) that triggers the vulnerability. When a user with the Silverlight plugin visits the page, the plugin loads and processes the malicious application, triggering the double dereference. No user interaction beyond visiting the page is required in practice, despite the "User Interaction: Required" CVSS designation (which counts visiting a page as user interaction).

Discovery

The vulnerability was discovered through security research and coordinated with Microsoft prior to the March 2013 Patch Tuesday release.

Exploitation Context

CVE-2013-0074 was incorporated into major crimeware exploit kits — most notably Angler Exploit Kit and Neutrino Exploit Kit — which used it to deliver ransomware payloads (hence ransomwareUse: true). At the time, Netflix and other streaming services used Silverlight, meaning the plugin had broad consumer and enterprise deployment. Silverlight exploit kit integration allowed attackers to reach users who had patched Java but still had Silverlight installed.

Remediation

Microsoft Silverlight reached end-of-life on October 12, 2021. Organizations should:

  1. Verify Silverlight is completely removed from all endpoints
  2. Check via Group Policy or endpoint management for any remaining Silverlight installations
  3. Audit legacy intranet applications or streaming services that may have required Silverlight — migrate to HTML5 alternatives
  4. Block .xap file downloads at web content filters

Key Details

PropertyValue
CVE ID CVE-2013-0074
Vendor / Product Microsoft — Silverlight
NVD Published2013-03-13
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2013-03-12Microsoft releases MS13-022 patching the Silverlight double dereference vulnerability
2013-03-13CVE-2013-0074 published
2013Angler Exploit Kit and Neutrino EK integrate Silverlight exploit for ransomware delivery
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2013-0074 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS13-022 Vendor Advisory

Last updated: 2026-05-22

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML