Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to disclose sensitive information, conduct cross-site scripting attacks, and compromise a user's system.

1) A use-after-free error when handling the "Center" element can be exploited via a specially crafted web page.

Successful exploitation of this vulnerability allows execution of arbitrary code.

2) Insufficient validation in the "toStaticHTML" API of specially formed CSS can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a targeted site.

3) An error when handling EUC-JP character encoding can be exploited to execute arbitrary HTML and script code in the user's browser session in context of a targeted site.

4) An unspecified error when processing NULL bytes can be exploited to disclose content from the process memory.

5) A use-after-free error exists within jsdbgui.dll when handling reference count to the console object.

Successful exploitation of this vulnerability allows execution of arbitrary code.

6) A use-after-free error exists within mshtml.dll when handling img and div elements having the same id property.

Successful exploitation of this vulnerability allows execution of arbitrary code.

NOTE: The vulnerability is currently being actively exploited.

7) An error when handling the colspan in a table with the table-layout:fixed style can be exploited to cause a heap-based buffer overflow.

Successful exploitation of this vulnerability allows execution of arbitrary code.

8) A use-after-free error when handling the "onpropertychange" callback function on the document.title element can be exploited to dereference already freed memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

9) A use-after-free error when handling the "OnBeforeDeactivate" method can be exploited to dereference already freed memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

10) An error when handling the "insertAdjacentText" method can be exploited to access undefined memory and corrupt memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

11) A use-after-free error when handling the "insertRow" method can be exploited to dereference already freed memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

12) A use-after-free error when handling "onrowsinserted" callback functions on certain elements can be exploited to dereference already freed memory.

Successful exploitation of this vulnerability allows execution of arbitrary code.

13) An error within the handling of the "Scrolling" event can be exploited to disclose information from another domain or Internet Explorer zone.

Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) An anonymous person via iDefense
2) Adi Cohen, IBM Security Systems Application Security
5) Code Audit Labs, VulnHunt
6) Reported as a 0-day.
7) Vupen via ZDI
8, 9, 10, 11, 12) An anonymous person via ZDI

The vendor credits:
3) Masato Kinugawa
4) Roman Shafigullin, LinkedIn

13) Reported by the vendor

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS12-037 (KB2699988)
http://technet.microsoft.com/en-us/security/bulletin/ms12-037

VulnHunt:
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-093/
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0205.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0207.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0209.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0210.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0211.html

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=988

IBM Security Systems Application Security:
http://blog.watchfire.com/wfblog/2012/07/tostatichtml-the-second-encounter-cve-2012-1858-html-sanitizing-information-disclosure-introduction-t.html

Deep Links
Links available to Secunia VIM customers