CVE-2013-3918

What is the InformationCardSigninHelper ActiveX Control?

The InformationCardSigninHelper ActiveX control (icardie.dll) was part of Windows CardSpace — Microsoft's information card system for identity management introduced in Windows Vista. When a user visited a website that supported Windows CardSpace authentication, Internet Explorer would invoke icardie.dll to manage the identity selection and sign-in process. The ActiveX control was registered in IE and could be instantiated by any webpage that referenced its CLSID, giving web content direct access to the control's functionality — and its vulnerabilities.

Overview

CVE-2013-3918 is an out-of-bounds write vulnerability (CWE-119) in the InformationCardSigninHelper ActiveX control (icardie.dll) in Windows. A specially crafted webpage can instantiate the control and trigger the memory corruption, allowing arbitrary code execution as the current user. This vulnerability was exploited as a zero-day in Operation GreedyWonk — a targeted water-holing campaign against foreign policy, defense policy, and international affairs organizations.

Microsoft patched this via MS13-090 by setting the ActiveX kill-bit for icardie.dll.

Affected Versions

Technical Details

ActiveX controls exposed to web content through Internet Explorer have a long history as an attack surface. icardie.dll implements the Windows CardSpace information card sign-in functionality. The out-of-bounds write occurs in the control's processing of data passed from the web page — when IE invokes the control with attacker-crafted input, the control writes beyond the boundary of an allocated buffer in the IE process, corrupting heap memory.

Exploitation: Corrupting heap memory with attacker-controlled content enables:

1. Overwriting adjacent heap objects (particularly objects with virtual function tables)
2. Redirecting virtual function calls to attacker shellcode via vtable pointer hijacking
3. Full code execution as the current user

Kill-bit mitigation: MS13-090 addressed the vulnerability by setting the ActiveX kill-bit for the InformationCardSigninHelper control — a registry setting that instructs IE to refuse instantiation of the control from web content. This is a "disable rather than patch" approach, which was appropriate given that Windows CardSpace was already being deprecated.

Operation GreedyWonk: FireEye reported in February 2014 that CVE-2013-3918 was used in a water-holing campaign against foreign and defense policy organization websites. The operation targeted US-based think tanks, non-profit organizations, and institutes focused on foreign affairs and national security policy. The exploit was served to IE users visiting compromised websites in these sectors.

Discovery

Discovered in the context of Operation GreedyWonk attacks. Microsoft patched via kill-bit in MS13-090 in November 2013, though the operation report was not published until February 2014. CISA added this to the KEV catalog in October 2025, over a decade after the patch, confirming sustained exploitation during the vulnerability's active window.

Exploitation Context

CISA confirmed exploitation in the wild. Operation GreedyWonk was attributed to Chinese state-sponsored APT actors and represented one of several simultaneous 2013–2014 water-holing campaigns against foreign policy organizations — a pattern indicating systematic intelligence collection against think tanks, academic researchers, and policy professionals working on US foreign and defense policy.

Remediation

1. Apply MS13-090 — sets the kill-bit for icardie.dll, blocking its instantiation from web content
2. Internet Explorer reached end-of-life on June 15, 2022 — uninstall or disable IE entirely and migrate to Microsoft Edge
3. Windows CardSpace was deprecated in Windows 8; any remaining CardSpace-dependent applications should be migrated
4. Audit and restrict ActiveX controls in enterprise IE environments via Group Policy to allow only specifically approved CLSIDs