Microsoft Windows Out-of-Bounds Write Vulnerability
Release Date: 06th of October 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear 
The Department of Communication and Digital Transformation (DCDT through CERT Vanuatu (CERTVU), provides the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2013-3918 is an out-of-bounds write / memory-corruption vulnerability in the InformationCardSigninHelper ActiveX control (icardie.dll) that Internet Explorer can load, allowing remote code execution when a user opens a specially crafted web page.
What are the Systems affected?
Affected:
Windows systems that shipped the icardie.dll ActiveX control:
- Windows XP SP2/SP3,
- Server 2003 SP2,
- Vista SP2,
- Server 2008 SP2/R2 SP1,
- Windows 7 SP1, Windows 8/8.1,
- Windows RT and
- corresponding Server 2012 releases (see vendor bulletin for CPE mapping). Unpatched systems from November 2013 are vulnerable.
What this means?
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Mitigation process
CERTVU recommend:
Apply Microsoft patching updates immediately.
If for some reason, the endpoint/server cannot patch immediately, block or restrict the ActiveX control (see set kill-bit via Group Policy or via the MS bulletin guidance)
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2013-3918
- https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090
- Download advisory (English): Microsoft Windows Out-of-Bounds Write Vulnerability
- Download advisory (French): Vulnérabilité d’écriture hors limites dans Microsoft Windows