What is Microsoft Internet Explorer?
Microsoft Internet Explorer's built-in Microsoft.XMLHTTP ActiveX control (and the related Msxml2.XMLHTTP variants) provides JavaScript with the ability to make HTTP requests. Exploit kits running in the browser used this control not only to fetch data from web servers but — via the same-origin policy exceptions in some IE versions — to probe the local file system for the existence of files. The ability to detect installed software from a web page gave exploit kit authors a powerful reconnaissance tool.
Overview
CVE-2013-7331 is an information disclosure vulnerability (CWE-200) in Microsoft Internet Explorer that allows remote attackers to determine whether specific files exist on a victim's local file system by querying resources loaded into memory via the Microsoft.XMLHTTP object. A crafted web page can test for the presence of file system paths — including security software executable paths, AV scanner directories, and sandbox indicators — and use the results to decide whether to deliver an exploit or remain dormant to avoid detection.
Microsoft patched this in MS14-052 (September 2014).
Affected Versions
| Internet Explorer Version | Affected |
|---|---|
| Internet Explorer 8 | Yes |
| Internet Explorer 9 | Yes |
| Internet Explorer 10 | Yes |
| Internet Explorer 11 | Yes |
| Internet Explorer 6/7 | Limited / not affected |
Technical Details
IE's Microsoft.XMLHTTP ActiveX object (part of MSXML) can be used by JavaScript to make requests to URLs. The vulnerability lies in how IE responds when JavaScript uses this mechanism to request a local file path (e.g., file:///C:/Program Files/...):
- A legitimate file path request succeeds: the object loads, and the request state changes appropriately
- A non-existent path request fails with a specific, detectable error state
By testing a series of well-known paths — such as antivirus software installation directories, security research tool executables, or virtual machine indicators — a web page can build a picture of what security software is installed on the victim machine. The inference is made without reading file contents (explaining the Low confidentiality impact), purely from whether the path exists.
Exploit kit weaponization: Exploit kit operators used CVE-2013-7331 as a victim profiling step:
- Test for common antivirus products (by checking their installation directories)
- Test for security researcher tools (debuggers, packet analyzers, sandbox indicators)
- Test for virtual machine artifacts (
vboxguest.sys, VMware directories) - If security tools are detected: serve benign content and avoid triggering detection
- If the machine appears to be an unprotected end-user system: deliver the exploit payload
This reconnaissance dramatically improved exploit kit operational security — by withholding payloads from sandboxed analysis environments and security researcher machines, kits avoided signature generation that would block their attacks on real targets.
A:L impact: The Availability: Low impact in the CVSS score reflects a secondary effect where certain query patterns cause IE to hang or crash, though the primary exploitation is informational.
Discovery
The XMLHTTP local file probing technique was observed in exploit kit JavaScript in 2013, analyzed by security researchers, and formalized as CVE-2013-7331. Microsoft patched it in the September 2014 Patch Tuesday cycle via MS14-052.
Exploitation Context
CISA confirmed exploitation in the wild. CVE-2013-7331 was extensively used by Blackhole, Angler, Nuclear, and other contemporary exploit kits as a victim fingerprinting step. The technique represented a significant evolution in exploit kit sophistication — moving from simple browser fingerprinting (user-agent, plugin detection) to direct filesystem interrogation, enabling kits to avoid delivering payloads to analysis environments.
Remediation
Internet Explorer reached end-of-life on June 15, 2022. Organizations should:
- Uninstall or disable Internet Explorer — replace with Microsoft Edge
- For historical remediation: MS14-052 (September 2014) patches this vulnerability
- Deploy endpoint protection that includes web content inspection and exploit kit detection, independent of whether IE is present
- Use browser isolation technologies that prevent browser code from accessing local file system paths
- Ensure sandbox environments and security analysis systems spoof or remove filesystem artifacts that fingerprinting scripts probe for
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2013-7331 |
| Vendor / Product | Microsoft — Internet Explorer |
| NVD Published | 2014-02-26 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 6.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
| Severity | MEDIUM |
| CWE | CWE-200 find similar ↗ |
| CISA KEV Added | 2022-05-25 |
| CISA KEV Deadline | 2022-06-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2013 | Exploit kits begin using XMLHTTP resource probing to detect installed security software on victim machines |
| 2014-02-26 | CVE-2013-7331 published |
| 2014-09-09 | Microsoft releases MS14-052 (September 2014 Patch Tuesday) patching CVE-2013-7331 |
| 2022-05-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2013-7331 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS14-052 | Vendor Advisory |