Vulnerabilities > CVE-2010-3971 - Resource Management Errors vulnerability in Microsoft Internet Explorer 7/8
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Exploit-Db
description Microsoft Internet Explorer 8 - CSS Parser Exploit. CVE-2010-3971. Remote exploit for windows platform file exploits/windows/remote/15746.rb id EDB-ID:15746 last seen 2016-02-01 modified 2010-12-15 platform windows port published 2010-12-15 reporter Nephi Johnson source https://www.exploit-db.com/download/15746/ title Microsoft Internet Explorer 8 - CSS Parser Exploit type remote description Microsoft Internet Explorer 8 - CSS Parser Denial of Service. CVE-2010-3971. Dos exploit for windows platform file exploits/windows/dos/15708.html id EDB-ID:15708 last seen 2016-02-01 modified 2010-12-08 platform windows port published 2010-12-08 reporter WooYun source https://www.exploit-db.com/download/15708/ title Microsoft Internet Explorer 8 - CSS Parser Denial of Service type dos description Internet Explorer CSS Recursive Import Use After Free. CVE-2010-3971. Remote exploit for windows platform id EDB-ID:16533 last seen 2016-02-02 modified 2011-02-08 published 2011-02-08 reporter metasploit source https://www.exploit-db.com/download/16533/ title Microsoft Internet Explorer - CSS Recursive Import Use After Free
Metasploit
| description | This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed. |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/MS11_003_IE_CSS_IMPORT |
| last seen | 2020-06-14 |
| modified | 2019-05-23 |
| published | 2011-02-08 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms11_003_ie_css_import.rb |
| title | MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free |
Msbulletin
| bulletin_id | MS11-003 |
| bulletin_url | |
| date | 2011-02-08T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2482017 |
| knowledgebase_url | |
| severity | Critical |
| title | Cumulative Security Update for Internet Explorer |
Nessus
NASL family Windows NASL id SMB_KB2488013.NASL description The remote host is missing one of the workarounds referenced in KB 2488013. The remote version of IE reportedly fails to correctly process certain specially crafted Cascading Style Sheets (CSS), which could result in arbitrary code execution on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 51587 published 2011-01-20 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51587 title MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51587); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2010-3971"); script_bugtraq_id(45246); script_xref(name:"CERT", value:"634956"); script_xref(name:"EDB-ID", value:"15708"); script_xref(name:"EDB-ID", value:"15746"); script_xref(name:"Secunia", value:"42510"); script_xref(name:"MSKB", value:"2488013"); script_name(english:"MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution"); script_summary(english:"Checks if couple of workarounds referenced in KB 2488013 have been applied."); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through a web browser."); script_set_attribute(attribute:"description", value: "The remote host is missing one of the workarounds referenced in KB 2488013. The remote version of IE reportedly fails to correctly process certain specially crafted Cascading Style Sheets (CSS), which could result in arbitrary code execution on the remote system."); script_set_attribute(attribute:"solution", value:"Apply Microsoft suggested workarounds."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Dec/110"); script_set_attribute(attribute:"see_also", value:"http://www.breakingpointsystems.com/community/blog/ie-vulnerability/"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/2488013"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2488013"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "microsoft_emet_installed.nasl", "smb_nt_ms10-090.nasl", "smb_nt_ms11-003.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/Missing/MS11-003"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/Missing/MS11-003"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); arch = get_kb_item("SMB/ARCH"); version = get_kb_item("SMB/IE/Version"); v = split(version, sep:".", keep:FALSE); if (int(v[0]) < 6 || int(v[0]) > 8) exit(0, "IE version "+ version + " is not known to be affected."); if (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:1) <= 0) exit(0, 'The host is not affected based on its version / service pack.'); if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected."); name = kb_smb_name(); port = kb_smb_transport(); if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(1, "Can't connect to IPC$ share."); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(1, "Can't connect to remote registry."); } # Find where it's installed. path = NULL; sdb_found = FALSE; emet_installed = FALSE; emet_with_ie = FALSE; key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{e4874249-daf0-48c2-a614-f2a51a0a4e01}"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"DatabasePath"); if (!isnull(value)) path = value[1]; RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); # 'Fix it' solution on x64 does not register the path in registry. if (isnull(path) && !isnull(arch) && arch == "x64") { systemroot = hotfix_get_systemroot(); path = systemroot + "\AppPatch\Custom\{e4874249-daf0-48c2-a614-f2a51a0a4e01}.sdb"; } if (!isnull(path)) { share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path); sdb = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(1, "Can't connect to "+share+" share."); } fh = CreateFile( file:sdb, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { sdb_found = TRUE; CloseFile(handle:fh); } } NetUseDel(); # Check if EMET is installed if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; # Check if EMET is configured with IE. # The workaround does not specifically ask to enable DEP # but if IE is configured with EMET, dep is enabled by default. emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if(!isnull(emet_list)) { foreach entry (keys(emet_list)) { if("iexplore.exe" >< entry && "/dep" >< entry) { dep = get_kb_item(entry); if(!isnull(dep) && dep == 1) emet_with_ie = TRUE; } } } if (sdb_found && isnull(get_kb_item("SMB/Missing/MS10-090"))) exit(0, "'Fix it' solution referenced in KB 2488013 has been applied."); if (emet_with_ie) exit(0,"Internet Explorer is configured with EMET."); info = ''; # If both workarounds are not applied, report... if (!sdb_found && !emet_with_ie) { if (!sdb_found) info = '\n' + ' - \'Fix it\' solution referenced in KB 2488013 is not applied.\n'; if (!emet_installed) info += ' - Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not installed.\n'; else info += ' - Microsoft Enhanced Mitigation Experience Toolkit (EMET) is installed,\n'+ 'however Internet Explorer is not configured with EMET.\n'; } # If 'Fix it' solution was applied, but MS10-090 is missing, report... else if (!emet_with_ie && sdb_found && !isnull(get_kb_item("SMB/Missing/MS10-090"))) { info = '\n'+ ' - \'Fix it\' solution referenced in KB 2488013 has been being applied, however\n'+ 'Microsoft Security Patch (MS10-090) has not been applied.\n'; } if (info) { report = '\n' + 'Nessus determined the workaround was not applied based on the following \n'+ 'information : \n'+ info ; if (report_verbosity > 0) security_hole(port:port,extra:report); else security_hole(port); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS11-003.NASL description The remote host is missing Internet Explorer (IE) Security Update 2482017. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 51903 published 2011-02-08 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51903 title MS11-003: Cumulative Security Update for Internet Explorer (2482017) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51903); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2010-3971", "CVE-2011-0035", "CVE-2011-0036", "CVE-2011-0038" ); script_bugtraq_id(45246, 46157, 46158, 46159); script_xref(name:"CERT", value:"634956"); script_xref(name:"EDB-ID", value:"15708"); script_xref(name:"EDB-ID", value:"15746"); script_xref(name:"MSFT", value:"MS11-003"); script_xref(name:"Secunia", value:"42510"); script_xref(name:"MSKB", value:"2482017"); script_name(english:"MS11-003: Cumulative Security Update for Internet Explorer (2482017)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through a web browser." ); script_set_attribute( attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2482017. The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-003"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Dec/110"); script_set_attribute(attribute:"see_also", value:"http://www.breakingpointsystems.com/community/blog/ie-vulnerability/"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2011/02/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-003'; kbs = make_list("2482017"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 and Windows Server 2008 R2 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.21636", min_version:"8.0.7601.20000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.17537", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.20861", min_version:"8.0.7600.20000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.16722", min_version:"8.0.7600.16000", dir:"\system32", bulletin:bulletin, kb:"2482017") || # Vista / Windows 2008 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.23111", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.19019", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:"2482017") || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.22551", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18357", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.22816", min_version:"7.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:"2482017") || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.18565", min_version:"7.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:"2482017") || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.19019", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:"2482017") || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.17095", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:"2482017") || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4807", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:"2482017") || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.19019", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:"2482017") || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.17095", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:"2482017") || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6058", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:"2482017") ) { set_kb_item(name:"SMB/Missing/" + bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
| accepted | 2014-08-25T04:00:18.874-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12382 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2011-02-08T14:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | CSS Memory Corruption Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 82 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/98389/ms11_003_ie_css_import.rb.txt |
| id | PACKETSTORM:98389 |
| last seen | 2016-12-05 |
| published | 2011-02-10 |
| reporter | jduck |
| source | https://packetstormsecurity.com/files/98389/Internet-Explorer-CSS-Recursive-Import-Use-After-Free.html |
| title | Internet Explorer CSS Recursive Import Use After Free |
Saint
| bid | 45246 |
| description | Microsoft Internet Explorer CSS Import Use-After-Free Code Execution |
| id | win_patch_ie_v8 |
| osvdb | 69796 |
| title | ie_css_import |
| type | client |
References
- http://www.vupen.com/english/advisories/2010/3156
- http://secunia.com/advisories/42510
- http://www.exploit-db.com/exploits/15708
- http://seclists.org/fulldisclosure/2010/Dec/110
- http://www.securityfocus.com/bid/45246
- http://www.exploit-db.com/exploits/15746
- http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
- http://www.wooyun.org/bugs/wooyun-2010-0885
- http://www.kb.cert.org/vuls/id/634956
- http://www.securitytracker.com/id?1024922
- http://www.microsoft.com/technet/security/advisory/2488013.mspx
- http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx
- http://www.vupen.com/english/advisories/2011/0318
- http://support.avaya.com/css/P8/documents/100127294
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12382
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-003