[VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability

[Dinesh Theerthagiri]

George,

We are sure yet weather CVE-2013-3871 is related to Memory Corruption Vulnerability types. There could be possibility that this CVE was reserved for some other Vulnerability type for future release, that we are not sure either. There is no much information from MS too.

They also say that CVE-2013-3871 will be addressed in future release , may in November 2013. 

http://technet.microsoft.com/en-us/security/bulletin/ms13-080

In this bulletin they say 
" V1.3 (October 10, 2013): Bulletin revised to remove CVE-2013-3871 from the vulnerabilities addressed by this update. Including this CVE in the original security bulletin text was a documentation error. CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action."

Currently, we retired the BID 62802 to avoid more confusion and we'll update based on Microsoft's confirmed information. 

Thanks,
T.Dinesh

-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
Sent: Friday, October 11, 2013 6:43 AM
To: Vulnerability Information Managers
Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability

Dinesh / Narayan / Venkat / Rob : would you help me understand the reasoning for SecurityFocus' retiring BID 62802? This is for the memory corruption vulnerability (CVE-2013-3871) that Microsoft noted was included by mistake in MS13-080 and intends to patch at a later date.  There's still a memory corruption vulnerability regardless of whether it's been patched, right?


George
-- 
theall at tenable.com