Vulnerabilities > CVE-2008-0077 - Use After Free vulnerability in Microsoft Internet Explorer 6/7

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

microsoft

CWE-416

nessus

NVD

Published: 2008-02-12

Updated: 2024-02-03

Summary

Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka "Property Memory Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 6 Microsoft Internet Explorer 7	3
OS	Microsoft Microsoft Windows 2000 - Microsoft Windows 2003 Server * Microsoft Windows 2003 Server - Microsoft Windows Server 2003 * Microsoft Windows XP * Microsoft Windows XP - Microsoft Windows Vista *	13

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS08-010.NASL
description	The remote host is missing the IE cumulative security update 944533. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	31044
published	2008-02-12
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31044
title	MS08-010: Cumulative Security Update for Internet Explorer (944533)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(31044); script_version("1.33"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2007-4790", "CVE-2007-5322", "CVE-2008-0076", "CVE-2008-0077", "CVE-2008-0078" ); script_bugtraq_id(25571, 25977, 27666, 27668, 27689); script_xref(name:"MSFT", value:"MS08-010"); script_xref(name:"MSKB", value:"944533"); script_name(english:"MS08-010: Cumulative Security Update for Internet Explorer (944533)"); script_summary(english:"Determines the presence of update 944533"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web client."); script_set_attribute(attribute:"description", value: "The remote host is missing the IE cumulative security update 944533. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-010"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(78, 94, 119, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/18"); script_set_attribute(attribute:"patch_publication_date", value:"2008/02/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS08-010'; kb = '944533'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.20734", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.16609", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mshtml.dll", version:"6.0.3790.3064", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4210", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.20733", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.16608", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"6.0.2900.3268", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"7.0.6000.20733", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"7.0.6000.16608", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"6.0.2800.1607", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3860.1000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-08-25T04:01:50.742-04:00

class

vulnerability

contributors

name Sudhir Gandhe
organization Secure Elements, Inc.
name Robert L. Hollis
organization ThreatGuard, Inc.
name Sudhir Gandhe
organization Secure Elements, Inc.
name Pooja Shetty
organization SecPod Technologies
name Chandan S
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 is installed
oval oval:org.mitre.oval:def:85
comment Microsoft Windows XP (32-bit) is installed
oval oval:org.mitre.oval:def:1353
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 for Itanium is installed
oval oval:org.mitre.oval:def:1867
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 for Itanium is installed
oval oval:org.mitre.oval:def:1867
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows XP is installed
oval oval:org.mitre.oval:def:105
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 for Itanium is installed
oval oval:org.mitre.oval:def:1867
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041

description

family

windows

oval:org.mitre.oval:def:5396

status

accepted

submitted

2008-02-13T10:19:01

title

Property Memory Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 27666 CVE(CAN) ID: CVE-2008-0077 Internet Explorer是微软发布的非常流行的WEB浏览器。 Microsoft IE在处理属性元素时存在漏洞，远程攻击者可能利用此漏洞控制用户系统。 IE没有正确地处理，如果为该属性分配了其他DOM元素的话，则在释放Variant数据类型期间就会触发内存破坏，导致覆盖虚拟函数地址。如果用户受骗访问了恶意网页的话，就可以触发这个漏洞，导致执行任意指令。 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 临时解决方法： * 配置Internet Explorer在运行活动脚本之前提示，或在Internet和本地intranet安全区中禁用活动脚本。 * 将Internet和本地intranet安全区设置为“高”以便在这些区中运行ActiveX控件和活动脚本之前提示。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS08-010）以及相应补丁: MS08-010：Cumulative Security Update for Internet Explorer (944533) 链接：<a href=http://www.microsoft.com/technet/security/Bulletin/MS08-010.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS08-010.mspx?pf=true</a>
id	SSV:2895
last seen	2017-11-19
modified	2008-02-20
published	2008-02-20
reporter	Root
title	Microsoft IE属性方式远程内存破坏漏洞（MS08-010）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Seebug

References