Secunia

Multiple vulnerabilities and a weakness have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, or compromise a user's system.

1) A combination of cross-origin content inclusion being allowed and the manner in which the CSS parser is fault-tolerant when processing content can be exploited to obtain sensitive information from a web page in another domain by injecting certain data into the page and then importing it as a style sheet.

2) An error in the Auto-Complete feature can be exploited to capture content entered into form fields via scripted instructions when a user visits a specially crafted web page.

Successful exploitation requires that the Auto-Complete feature is enabled.

3) An unspecified error in the "toStaticHTML" API when sanitising HTML code can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a targeted site.

4) An unspecified error in the "toStaticHTML" API when sanitising HTML code can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a web site that that includes specially crafted content.

5) An error when attempting to access an uninitialised or deleted object can be exploited to corrupt memory and execute arbitrary code when a user visits a specially crafted web page.

6) An unspecified error in the handling of anchor elements can lead to potentially sensitive information being left in HTML content.

7) A use-after-free error within the "CAttrArray::PrivateFind" function in mshtml.dll can be exploited to corrupt memory and execute arbitrary code when a user visits a specially crafted web page.

8) An error when attempting to access an uninitialised or deleted object can be exploited to corrupt memory and execute arbitrary code when a user closes a specially crafted document opened in Microsoft Word.

9) An unspecified error can be exploited to disclose content from another domain when a user visits a specially crafted web site.

10) An error when attempting to access an uninitialised or deleted object can be exploited to corrupt memory and execute arbitrary code when a user closes a specially crafted document opened in Microsoft Word.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1) Chris Evans
7) Peter Vreugdenhil, reported via ZDI
8) Damián Frizza, Core Security Technologies
10) Rodrigo Rubira Branco, Check Point Vulnerability Discovery Team (VDT)

The vendor credits:
3) Sirdarckcat of Google Inc.
4) Mario Heiderich
5) Takehiro Takahashi of IBM ISS X-Force
9) Aldwin Saugere and Radoslav Vasilev, Cigital

Changelog
Further details available in Customer Area

Original Advisory
MS10-071 (KB2360131):
http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx

Chris Evans:
http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0066.html

ZDI-10-197:
http://www.zerodayinitiative.com/advisories/ZDI-10-197/

Core Security Technologies:
http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption

Check Point Vulnerability Discovery Team:
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0143.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area