search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer invalid flag reference vulnerability

Vulnerability Note VU#899748

Original Release Date: 2010-11-03 | Last Revised: 2014-03-11

Overview

Microsoft Internet Explorer invalid flag reference vulnerability

Description

According to the Microsoft Security Research & Defense Blog, Microsoft Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags when parsing HTML, resulting in an overwrite of the least significant byte of a vtable pointer. The Microsoft Security Advisory (2458511) refers to the vulnerability as an invalid flag reference vulnerability, where the reference to an object can be accessed after it is deleted.

Exploit code for this vulnerability is publicly available.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS10-090.

Workarounds

Microsoft has listed several workarounds in Microsoft Security Advisory (2458511).

Vendor Information

899748
 

Microsoft Corporation Affected

Updated:  January 18, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Microsoft Security Response Center for reporting this vulnerability, who in turn credit Symantec.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2010-3962
Severity Metric: 54.62
Date Public: 2010-11-03
Date First Published: 2010-11-03
Date Last Updated: 2014-03-11 18:24 UTC
Document Revision: 31

Sponsored by CISA.