Multiple vulnerabilities have been reported in Microsoft Internet Explorer, which can be exploited by malicious people to disclose sensitive information and compromise a user's system.

1) An error when handling the encoding for Shift_JIS auto-selection can be exploited to gain access to information in another domain or Internet Explorer zone.

2) A use-after-free error within the "SetCapture()" method can be exploited to dereference an invalid pointer.

3) A use-after-free error within the "COmWindowProxy" class when handling the window.open event can be exploited to dereference an invalid pointer.

4) A use-after-free error within the "document.adoptNode()" method when handling CMarkup and CDATA objects can be exploited to dereference an invalid pointer.

5) A use-after-free error related to vtable can be exploited to access an already freed object.

6) A use-after-free error related to LsGetTrailInfo can be exploited to access an already freed object.

7) A use-after-free error within the "CDispNode" class when handling SVG objects can be exploited to dereference already freed memory.

8) A use-after-free error within the "pasteHTML()" method when handling TextRange objects can be exploited to dereference an invalid pointer.

9) A use-after-free error when handling the "CParaElement" node of the "SLayoutRun" class can be exploited to reference an already freed object.

10) A use-after-free error related to InsertElement can be exploited to access an already freed object.

11) A use-after-free error related to CPasteCommand can be exploited to access an already freed object.

12) A use-after-free error within the "CObjectElement" class when handling CSS cursor properties can be exploited to dereference an invalid pointer.

13) A use-after-free when handling a "CSelectionManager" object via the "onbeforedeactivate" event can be exploited to dereference an invalid pointer.

Successful exploitation of the vulnerabilities #2 through #13 allows the execution of arbitrary code.

Solution
Apply updates.
Further details available to Secunia VIM customers

Provided and/or discovered by
3) SkyLined via ZDI
4) Stephen Fewer, Harmony Security via ZDI
7) Arthur Gerkis via ZDI
8) An anonymous person via ZDI
9) Scott Bell, Security-Assessment.com
12) Jose A. Vazquez, Yenteasy Security Research via ZDI
13) Stephen Fewer, Harmony Security and Aniway.Aniway@gmail.com via ZDI

The vendor credits:
1) Masato Kinugawa
2, 6) Omair
4) Arthur Gerkis via Exodus Intelligence
5) Tencent PC Manager
10) Jose A Vazquez, Yenteasy Security Research via Exodus Intelligence
11) Mark Yason, IBM X-Force
12) Scott Bell, Security-Assessment.com

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS13-009 (KB2792100)
http://technet.microsoft.com/en-us/security/bulletin/ms13-009

Security-Assessment.com:
http://www.security-assessment.com/files/documents/advisory/ms13_009_ie_slayoutrun_uaf.pdf

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-13-025/
http://www.zerodayinitiative.com/advisories/ZDI-13-026/
http://www.zerodayinitiative.com/advisories/ZDI-13-027/
http://www.zerodayinitiative.com/advisories/ZDI-13-028/
http://www.zerodayinitiative.com/advisories/ZDI-13-029/
http://www.zerodayinitiative.com/advisories/ZDI-13-030/
http://www.zerodayinitiative.com/advisories/ZDI-13-031/
http://www.zerodayinitiative.com/advisories/ZDI-13-032/

Deep Links
Links available to Secunia VIM customers