CVE-2013-3195

Name of the Vulnerable Software and Affected Versions Windows common control library versions in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT

Description A remote code execution issue exists due to improper memory allocation in the Windows common control library. This could allow remote code execution if an attacker sends a specially crafted web request to an ASP.NET web application. The DSA InsertItem function in Comctl32.dll is specifically affected, allowing attackers to execute arbitrary code via a crafted value in an argument.

Recommendations For Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT, consider restricting access to ASP.NET web applications until a patch is available. As a temporary workaround, consider disabling the DSA InsertItem function in Comctl32.dll to prevent exploitation. Avoid using crafted values in arguments to ASP.NET web applications to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.