CVE-2013-3163

What is Microsoft Internet Explorer?

Microsoft Internet Explorer is a graphical web browser developed by Microsoft. IE's rendering engine (Trident/MSHTML) processes HTML and CSS layout, maintaining C++ objects representing DOM elements and their display state. Memory corruption vulnerabilities in IE's rendering engine arise when these internal objects are accessed out-of-bounds or after being freed, allowing attacker-controlled data to corrupt adjacent memory.

Overview

CVE-2013-3163 is a memory corruption vulnerability (CWE-787 — out-of-bounds write) in Microsoft Internet Explorer 6 through 10. The flaw occurs in how IE handles certain DOM operations during page layout — specifically involving the CDisplayPointer class used to track text insertion positions and selection ranges in the document. A crafted web page can trigger an out-of-bounds write, corrupting heap memory and enabling arbitrary code execution in the context of the current user.

Microsoft patched this in MS13-055, released as part of the July 2013 Patch Tuesday cycle.

Affected Versions

Technical Details

The vulnerability is in IE's DOM text selection and cursor management machinery. The CDisplayPointer class maintains internal state for text cursor positioning within the rendered document. When JavaScript or HTML operations manipulate the document layout in specific ways — such as modifying element visibility or position while selection state is active — the CDisplayPointer code performs an out-of-bounds write (CWE-787) to heap memory beyond the allocated object bounds.

Exploitation: Out-of-bounds writes to the heap can be leveraged by:

1. Arranging a high-value target object adjacent to the vulnerable allocation (heap grooming)
2. Triggering the out-of-bounds write to corrupt the target object's fields, particularly vtable pointers
3. Triggering a virtual function call on the corrupted object to redirect execution

The full C/I/A CVSS score reflects that a successful exploit provides arbitrary code execution as the browser user.

Version breadth: Affecting IE 6 through 10 provided wide coverage across the Windows XP, Vista, 7, and 8 installed base, making the vulnerability attractive for broad exploitation campaigns.

Discovery

Discovered through security research and reported to Microsoft, resulting in a fix in the July 2013 Patch Tuesday release MS13-055. CISA added this to the KEV catalog in March 2023, indicating confirmed exploitation.

Exploitation Context

CISA confirmed in-the-wild exploitation. IE memory corruption vulnerabilities of this type were regularly incorporated into exploit kits and used in targeted attacks throughout 2013. The fact that CISA added this to KEV in 2023 (nearly a decade after the patch) indicates the vulnerability saw exploitation against organizations that had not applied the 2013 patch, or were still running IE on systems where updates had stalled.

Remediation

Internet Explorer reached end-of-life on June 15, 2022. Organizations should:

1. Uninstall or disable Internet Explorer — Microsoft Edge is the supported replacement
2. For historical remediation: MS13-055 (July 2013) patches this vulnerability for IE 6–10
3. Remove IE from default application associations and disable the iexplore.exe binary via Software Restriction Policies or AppLocker
4. Audit any remaining legacy applications requiring IE — migrate to Microsoft Edge with IE compatibility mode as an interim step