Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.
1) An error when firing events while at the same time manipulating elements in the markup can be exploited to corrupt memory.
2) An error in the handling of content using specific encoding strings when submitting data can be exploited to gain knowledge of sensitive information when a user e.g. views a specially crafted web page.
3) A race condition when accessing objects can be exploited to corrupt memory.
4) An error when attempting to access objects that have not been initialised or have been deleted may result in uninitialised memory being used.
5) A use-after-free error in the handling of an HTML object with the "onreadystatechange" event handler can be exploited to corrupt memory.
6) A use-after-free error in mstime.dll when handling the "TIME2" behaviour may be exploited to execute arbitrary code.
7) An error may allow script code to gain access to a browser window in another domain or Internet Explorer zone if a user is tricked into dragging the browser window across a second browser window.
8) An array-indexing error within the Microsoft Tabular Data Control ActiveX control (tdc.ocx) when the "CTDCCtl::SecurityCheckDataURL()" function parses "DataURL" parameter values can be exploited to write a single NULL-byte to an arbitrary memory location.
9) A use-after-free error in iepeers.dll when handling invalid values passed to the "setAttribute()" function can be exploited to dereference invalid memory when a specially crafted web page using the "#default#userData" behavior is accessed.
NOTE: The vulnerability is currently being actively exploited.
10) An error in the HTML rendering can be exploited to corrupt memory via a specially crafted web page.
Provided and/or discovered by: 1) Originally reported as a DoS by dwt. Additional research performed by Secunia Research.
2) The vendor credits Daiki Fukumori, Cyber Defense Institute Inc.
3) Reported by the vendor.
4) The vendor credits Ivan Fratric, iSIGHT Partners Global Vulnerability Partnership and Alexander Kornbrust, Red Database Security.
5) wushi of team509, reported via iDefense.
6) Simon Zuckerbraun, reported via ZDI.
7) The vendor credits Paul Stone, Context Information Security.
8) An anonymous person, reported via ZDI.
9) Reported as a 0-day. The vendor also credits ADLab, VenusTech.
10) The vendor credits ADLab, VenusTech.
Original Advisory: MS10-018 (KB980182):
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Internet Explorer Multiple Vulnerabilities
RE: Internet Explorer Unspecified Code Execution Vulnerability
11th Mar, 2010 23:39
Score: 298 Posts: 727 User Since: 30th Mar 2008 System Score: 100% Location: US
IE8 is flagged as Insecure, no solution & has been
practically since it's introduction. Rumor is that because
the vulnerability is so small that M$ probably won't issue a patch.
They'll probably just roll out IE9 & patch that way.
Secunia gives SA38416 that you might want to read.
-- HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 17.0.11 ESR
The weakest link of a computer system is always sitting in front of the monitor.
RE: Internet Explorer iepeers.dll Use-After-Free Vulnerability
15th Mar, 2010 14:47
Score: -3 Posts: 39 User Since: 10th Sep 2009 System Score: 100% Location: US Last edited on 15th Mar, 2010 14:49
If Microsoft really wants its users to keep using IE, they need to step-up & start releasing security patches more frequently. They should look at how Mozilla does things - they know how to release patches. :)
Edit: Hopefully Microsoft will release a patch for IE 8 within two weeks of it being reported, but we can only hope. I'm glad I use Firefox. Microsoft should treat this as being serious - having an extremely-critical vulnerability in your browser isn't going to help win over people.