[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Internet Explorer Uninitialized Memory Corruption Vulnerability - CVE-2010-3331

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Internet Explorer Uninitialized Memory Corruption Vulnerability - CVE-2010-3331
From: Rodrigo Branco <rbranco@xxxxxxxxxxxxxx>
Date: Tue, 12 Oct 2010 11:41:55 -0700

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to 
publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2010-3331 - MS10-071

INTRODUCTION

There exists a vulnerability within the way internet explorer handles specific 
objects that has not been correctly initialized or
has been deleted, which leads to uninitialized memory reference and code 
execution.

This vulnerability can be triggered thru different vectors, been Microsoft Word 
one of the tested ones.

This problem was confirmed in the following versions of Internet Explorer and 
Windows, other versions 
maybe also affected.

Internet Explorer 6 running in All Versions of Windows
Internet Explorer 7 running in All Versions of Windows
Internet Explorer 8 running in All Versions of Windows



MICROSOFT EXPLOTABILITY INDEX

In order to help the Microsoft Response Team we did further analysis on the 
vulnerability and we classify it as:  1 consistent exploit code likely.

Important to note again that since the faulty code also appears inside the 
mshtml.dll other applications may behave differently when triggering the 
problem (even more when
talking about 3rd parties).  


CVSS Scoring System

The CVSS score is: 8.3
        Base Score: 10
        Temporal Score: 8.3
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
        Temporal score is: E:F/RL:OF/RC:C



TRIGGERING THE PROBLEM

This vulnerability can be triggered by creating a persistent object with class 
id:
CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389.

The problem is triggered by the an exploit code available to interested party 
which causes invalid memory access in
all the referred versions.




CREDITS

This vulnerability was discovered and researched by Rodrigo Rubira Branco from 
Check Point Vulnerability Discovery Team (VDT).




Best Regards,
 
Rodrigo.
 
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] ZDI-10-199: Windows Media Player Network Sharing ServiceRemote Code Execution Vulnerability
Next by Date: [Full-disclosure] [SECURITY] [DSA 2116-1] New poppler packages fix several vulnerabilities
Previous by thread: [Full-disclosure] ZDI-10-199: Windows Media Player Network Sharing ServiceRemote Code Execution Vulnerability
Next by thread: [Full-disclosure] [SECURITY] [DSA 2116-1] New poppler packages fix several vulnerabilities
Index(es):
- Date
- Thread