What is Microsoft Internet Explorer?
Microsoft Internet Explorer was the dominant enterprise browser through the 2010s, with especially high market share in Japan's corporate and government sectors. IE's mouse handling subsystem includes SetMouseCapture — an internal mechanism that redirects all mouse events to a specific element until capture is released. When an element captures mouse input and is subsequently deleted from the DOM before capture is released, IE's mouse dispatch code holds a dangling pointer to the freed element.
Overview
CVE-2013-3893 is a use-after-free vulnerability (CWE-399) in Microsoft Internet Explorer involving the SetMouseCapture API. When JavaScript manipulates the DOM to delete a mouse-capturing element without releasing mouse capture, IE's internal event dispatch code retains a dangling pointer to the freed element. Accessing the freed element during subsequent mouse event processing triggers the use-after-free, enabling arbitrary code execution. This was a zero-day exploited in Operation DeputyDog — a targeted attack campaign against Japanese government, technology, and defense organizations.
Microsoft released out-of-band emergency patch MS13-080 on October 8, 2013.
Affected Versions
| Internet Explorer Version | Affected |
|---|---|
| Internet Explorer 8 | Yes |
| Internet Explorer 9 | Yes |
| Internet Explorer 10 | Yes |
| Internet Explorer 6 | Not affected |
| Internet Explorer 7 | Not affected |
| Internet Explorer 11 | Not affected |
Technical Details
Internet Explorer's mouse capture mechanism routes all mouse events to a designated element after SetMouseCapture() is called. IE maintains an internal pointer to the capturing element. The use-after-free occurs when:
- JavaScript calls
SetMouseCapture()on a DOM element, registering it to receive all mouse events - JavaScript subsequently removes the same element from the DOM without explicitly releasing mouse capture
- IE frees the element's internal C++ object as part of DOM cleanup
- The mouse capture pointer in IE's event dispatch system still points to the freed memory (a dangling pointer)
- When the user moves the mouse or triggers another mouse event, IE dispatches it to the freed element via the dangling pointer
An attacker who controls the heap (via JavaScript heap spray) can fill the freed memory with attacker-controlled data before step 5, redirecting execution when IE calls a virtual method on the dangling pointer.
Zero-day exploitation context: Microsoft acknowledged the unpatched zero-day via Security Advisory 2887505 on September 17, 2013 — the same day FireEye published its Operation DeputyDog report. The 21-day gap between public disclosure and the MS13-080 patch left IE 8–10 users exposed to a known, actively exploited zero-day with publicly available details.
Discovery
Discovered by FireEye, which identified the zero-day in the context of water-holing attacks against Japanese organizations in September 2013. FireEye published the Operation DeputyDog report on September 17, 2013, prompting Microsoft's same-day acknowledgment via security advisory.
Exploitation Context
CISA added this to the KEV catalog in August 2025, confirming historical exploitation. Operation DeputyDog was a coordinated APT campaign — assessed as Chinese state-sponsored — targeting Japanese organizations. Characteristics:
- Water-holing: Attackers compromised legitimate Japanese websites frequented by target organizations (technology companies, government contractors, defense industry)
- Selective targeting: The exploit was served specifically to IE 8, 9, and 10 users, matching the browser distribution of Japanese corporate environments
- Payload: Delivered a customized variant of the HiKit RAT (remote access trojan), designed for persistence and data exfiltration
The fact that CISA added this to KEV in 2025 — over a decade after the patch — indicates continued exploitation risk against organizations running outdated IE versions or unpatched Windows systems.
Remediation
Internet Explorer reached end-of-life on June 15, 2022. Organizations should:
- Uninstall or disable Internet Explorer — replace with Microsoft Edge immediately
- For historical remediation: MS13-080 (October 2013) patches CVE-2013-3893 for IE 8, 9, and 10
- Remove IE from default application associations via Group Policy and disable the
iexplore.exeexecutable - Audit any remaining systems with Internet Explorer installed — these systems may be running other long-unpatched vulnerabilities
- Implement network controls that block access from hosts running Internet Explorer to sensitive internal resources
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2013-3893 |
| Vendor / Product | Microsoft — Internet Explorer |
| NVD Published | 2013-09-18 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-399 find similar ↗ |
| CISA KEV Added | 2025-08-12 |
| CISA KEV Deadline | 2025-09-02 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2013-09 | Zero-day exploitation begins — IE use-after-free deployed in Operation DeputyDog water-holing attacks against Japanese organizations |
| 2013-09-17 | FireEye publishes Operation DeputyDog report identifying the IE zero-day |
| 2013-09-17 | Microsoft releases Security Advisory 2887505 acknowledging the unpatched zero-day |
| 2013-09-18 | CVE-2013-3893 published |
| 2013-10-08 | Microsoft releases MS13-080 (out-of-band) patching CVE-2013-3893 |
| 2025-08-12 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-09-02 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2013-3893 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS13-080 | Vendor Advisory |