Vulnerabilities > CVE-2010-0491 - Resource Management Errors vulnerability in Microsoft products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-399

critical

nessus

NVD

Published: 2010-03-31

Updated: 2021-07-23

Summary

Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 allows remote attackers to execute arbitrary code by changing unspecified properties of an HTML object that has an onreadystatechange event handler, aka "HTML Object Memory Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 6 Microsoft Internet Explorer 5.01	3
OS	Microsoft Microsoft Windows Server 2003 * Microsoft Windows 2003 Server * Microsoft Windows XP * Microsoft Windows XP - Microsoft Windows 2000 *	6

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Msbulletin

bulletin_id	MS10-018
bulletin_url
date	2010-03-30T00:00:00
impact	Remote Code Execution
knowledgebase_id	980182
knowledgebase_url
severity	Critical
title	Cumulative Security Update for Internet Explorer

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS10-018.NASL
description	The remote host is missing IE Security Update 980182. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	45378
published	2010-03-30
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/45378
title	MS10-018: Cumulative Security Update for Internet Explorer (980182)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(45378); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2010-0267", "CVE-2010-0488", "CVE-2010-0489", "CVE-2010-0490", "CVE-2010-0491", "CVE-2010-0492", "CVE-2010-0494", "CVE-2010-0805", "CVE-2010-0806", "CVE-2010-0807" ); script_bugtraq_id( 38615, 39023, 39024, 39025, 39026, 39027, 39028, 39030, 39031, 39047 ); script_xref(name:"CERT", value:"744549"); script_xref(name:"MSFT", value:"MS10-018"); script_xref(name:"MSKB", value:"980182"); script_name(english:"MS10-018: Cumulative Security Update for Internet Explorer (980182)"); script_summary(english:"Checks version of Mshtml.dll / MSrating.dll"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through a web browser." ); script_set_attribute( attribute:"description", value: "The remote host is missing IE Security Update 980182. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-018"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, and Windows 7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2010/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-018'; kbs = make_list("980182"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); kb = "980182"; if ( # Windows 7 and Windows Server 2008 R2 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"8.0.7600.20651", min_version:"8.0.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"8.0.7600.16535", min_version:"8.0.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / Windows 2008 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.22995", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.18904", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.22360", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18226", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.22653", min_version:"7.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.18444", min_version:"7.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.21242", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.17037", min_version:"7.0.6000.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 2003 / XP x64 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.22995", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.18904", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21228", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.17023", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4672", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mshtml.dll", version:"8.0.6001.22995", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mshtml.dll", version:"8.0.6001.18904", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mshtml.dll", version:"8.0.6001.22995", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mshtml.dll", version:"8.0.6001.18904", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mshtml.dll", version:"7.0.6000.21228", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mshtml.dll", version:"7.0.6000.17023", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mshtml.dll", version:"7.0.6000.21228", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mshtml.dll", version:"7.0.6000.17023", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 SP1 hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Msrating.dll", version:"6.0.2900.3676", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mshtml.dll", version:"6.0.2900.5945", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mshtml.dll", version:"6.0.2900.3676", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 2000 # # - Internet Explorer 6 w/ Service Pack 1 hotfix_is_vulnerable(os:"5.0", file:"Msrating.dll", version:"6.0.2800.2002", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 5.01 w/ Service Pack 4 hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3886.1900", min_version:"5.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2010-06-07T04:01:10.622-04:00

class

vulnerability

contributors

name	Dragos Prisaca
organization	Symantec Corporation

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Internet Explorer 5.01 SP4 is installed
oval oval:org.mitre.oval:def:325
comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563

description

family

windows

oval:org.mitre.oval:def:8421

status

accepted

submitted

2010-03-30T13:00:00

title

HTML Object Memory Corruption Vulnerability (CVE-2010-0491)

version

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:19371
last seen	2017-11-19
modified	2010-03-31
published	2010-03-31
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-19371
title	Microsoft Internet Explorer 'onreadystatechange' Use After Free Vulnerability

bulletinFamily	exploit
description	BUGTRAQ ID: 39027 CVE ID: CVE-2010-0491 Internet Explorer是Windows操作系统中默认捆绑的web浏览器。 Internet Explorer在处理带onreadystatechange事件处理器的HTML对象时存在释放后使用错误。这个事件用于在某些HTML对象的状态发生变化时执行操作。具体来讲，当对象的某些属性发生变化时，会释放事件处理器功能对象，当仍保留了对其的引用。之后在访问对象时，会将这个无效的内存处理为对象指针，其中的一个成员用于执行间接的函数调用，这会导致执行任意代码。 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.0.1 SP4 临时解决方法： * 在Office 2007中禁用ActiveX控件。 * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。 * 将Internet 和本地Intranet安全区域设置设为“高”，以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 * 不要打开意外的文件。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS10-018）以及相应补丁: MS10-018：Cumulative Security Update for Internet Explorer (980182) 链接：http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx?pf=true
id	SSV:19372
last seen	2017-11-19
modified	2010-03-31
published	2010-03-31
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-19372
title	Internet Explorer onreadystatechange释放后使用漏洞（MS10-018）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Msbulletin

Nessus

Oval

Seebug

References