Vulnerabilities > CVE-2010-3962 - Use After Free vulnerability in Microsoft Internet Explorer 6/7/8
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 | |
OS | 10 |
Common Weakness Enumeration (CWE)
Exploit-Db
description Microsoft Internet Explorer Memory - Corruption Vulnerability (0day). CVE-2010-3962. Dos exploit for windows platform file exploits/windows/dos/15418.html id EDB-ID:15418 last seen 2016-02-01 modified 2010-11-04 platform windows port published 2010-11-04 reporter Unknown source https://www.exploit-db.com/download/15418/ title Microsoft Internet Explorer Memory - Corruption Vulnerability 0day type dos description Internet Explorer CSS SetUserClip Memory Corruption. CVE-2010-3962. Remote exploit for windows platform id EDB-ID:16551 last seen 2016-02-02 modified 2011-01-20 published 2011-01-20 reporter metasploit source https://www.exploit-db.com/download/16551/ title Microsoft Internet Explorer - CSS SetUserClip Memory Corruption description Internet Explorer 6, 7 and 8 Memory Corruption 0day Exploit CVE-2010-3962. CVE-2010-3962. Remote exploit for windows platform file exploits/windows/remote/15421.html id EDB-ID:15421 last seen 2016-02-01 modified 2010-11-04 platform windows port published 2010-11-04 reporter ryujin source https://www.exploit-db.com/download/15421/ title Microsoft Internet Explorer 6/7/8 - Memory Corruption Exploit 0day type remote
Metasploit
description | This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections. |
id | MSF:EXPLOIT/WINDOWS/BROWSER/MS10_090_IE_CSS_CLIP |
last seen | 2020-04-11 |
modified | 2019-05-23 |
published | 2010-12-14 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3962 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms10_090_ie_css_clip.rb |
title | MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption |
Msbulletin
bulletin_id | MS10-090 |
bulletin_url | |
date | 2010-12-14T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 2416400 |
knowledgebase_url | |
severity | Critical |
title | Cumulative Security Update for Internet Explorer |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS10-090.NASL |
description | The remote host is missing Internet Explorer (IE) Security Update 2416400. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 51162 |
published | 2010-12-15 |
reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/51162 |
title | MS10-090: Cumulative Security Update for Internet Explorer (2416400) |
code |
|
Oval
accepted | 2014-08-18T04:00:23.331-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
description | Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:12279 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
submitted | 2010-10-12T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
title | Uninitialized Memory Corruption Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
version | 82 |
Packetstorm
data source https://packetstormsecurity.com/files/download/95516/ie678-corrupt.txt id PACKETSTORM:95516 last seen 2016-12-05 published 2010-11-05 reporter Matteo Memelli source https://packetstormsecurity.com/files/95516/Microsoft-Internet-Explorer-6-7-8-Memory-Corruption.html title Microsoft Internet Explorer 6 / 7 / 8 Memory Corruption data source https://packetstormsecurity.com/files/download/95522/ms10_xxx_ie_css_clip.rb.txt id PACKETSTORM:95522 last seen 2016-12-05 published 2010-11-05 reporter Matteo Memelli source https://packetstormsecurity.com/files/95522/Internet-Explorer-CSS-Tags-Memory-Corruption.html title Internet Explorer CSS Tags Memory Corruption data source https://packetstormsecurity.com/files/download/96706/ms10_090_ie_css_clip.rb.txt id PACKETSTORM:96706 last seen 2016-12-05 published 2010-12-14 reporter Matteo Memelli source https://packetstormsecurity.com/files/96706/Internet-Explorer-CSS-SetUserClip-Memory-Corruption.html title Internet Explorer CSS SetUserClip Memory Corruption
Saint
bid | 44536 |
description | Internet Explorer CSS clip attribute memory corruption |
id | win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8 |
osvdb | 68987 |
title | ie_css_clip |
type | client |
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:20230 |
last seen | 2017-11-19 |
modified | 2010-11-05 |
published | 2010-11-05 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-20230 |
title | Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit |
References
- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx
- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx
- http://secunia.com/advisories/42091
- http://secunia.com/advisories/42091
- http://www.exploit-db.com/exploits/15418
- http://www.exploit-db.com/exploits/15418
- http://www.exploit-db.com/exploits/15421
- http://www.exploit-db.com/exploits/15421
- http://www.kb.cert.org/vuls/id/899748
- http://www.kb.cert.org/vuls/id/899748
- http://www.microsoft.com/technet/security/advisory/2458511.mspx
- http://www.microsoft.com/technet/security/advisory/2458511.mspx
- http://www.securityfocus.com/bid/44536
- http://www.securityfocus.com/bid/44536
- http://www.securitytracker.com/id?1024676
- http://www.securitytracker.com/id?1024676
- http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
- http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
- http://www.us-cert.gov/cas/techalerts/TA10-348A.html
- http://www.us-cert.gov/cas/techalerts/TA10-348A.html
- http://www.vupen.com/english/advisories/2010/2880
- http://www.vupen.com/english/advisories/2010/2880
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62962
- https://exchange.xforce.ibmcloud.com/vulnerabilities/62962
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12279
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12279