Microsoft Internet Explorer Multiple Vulnerabilities

Posted on Saturday, April 16, 2011 @ 01:42:50 UTC in Security
by Raven

SECUNIA ADVISORY ID: SA44153

VERIFY ADVISORY: http://secunia.com/advisories/44153/

CRITICALITY: Extremely Critical

RELEASE DATE: 2011-04-16

DESCRIPTION: Some vulnerabilities have been reported in Microsoft Internet Explorer, which can be exploited by malicious people to disclose certain sensitive information, bypass certain security restrictions, and compromise a user's system.
1) A user-after-free error when handling an object, which is exchanged during a call to a certain function, can be exploited to dereference already freed memory and execute arbitrary code via a specially crafted web page.
NOTE: According to Microsoft, this vulnerability is currently being exploited in limited, targeted attacks.

2) An error when attempting to access an uninitialised or deleted MSHTML object can be exploited to corrupt memory and execute arbitrary code when a user visits a specially crafted web page.

3) An error in the handling of the frame tag object can be exploite to disclose certain information or conduct clickjacking attacks.

4) An error in the handling of certain JavaScript objects can be exploited to bypass domain restrictions and may allow to disclose content from another domain or Internet Explorer zone.

5) An error exists in the handling of the "onPropertyChange" event when set to an object's attribute collection. This can be exploited to corrupt memory and execute arbitrary code when a user visits a specially crafted web page.
NOTE: According to Microsoft, this vulnerability is currently being exploited in limited, targeted attacks.

SOLUTION: Apply patches.

PROVIDED AND/OR DISCOVERED BY:
1) An anonymous person via iDefense. Also reported as a 0-day.
2) Reported by the vendor.
3, 4) The vendor credits David Bloom, Google.
5) Stephen Fewer, Harmony Security via ZDI. Also reported as a 0-day.

ORIGINAL ADVISORY:
MS11-018 (KB2497640): http://www.microsoft.com/technet/security/bulletin/MS11-018.mspx
ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-119/
iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=900
 
 
click Related        click Share
 
 
Associated Topics

Microsoft
 
News ©

Site Info

Last SeenLast Seen
  • neralex
  • nextgen
Server TrafficServer Traffic
  • Total: 481,625,623
  • Today: 10,790
Server InfoServer Info
  • Mar 28, 2024
  • 01:50 pm UTC