CVE-2010-0806
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
View on NVDAnalysis
A critical use-after-free vulnerability in Internet Explorer 6 and 7 allows for remote code execution. While these versions are end-of-life, this flaw has been actively exploited in the wild and remains part of the CISA Known Exploited Vulnerabilities catalog.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HCWE-399CWE-416CISA KEV
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EPSS
Affects
microsoft:internet_explorermicrosoft:windows_2000microsoft:windows_7microsoft:windows_server_2003microsoft:windows_server_2008microsoft:windows_vistamicrosoft:windows_xpTechnical description
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka "Uninitialized Memory Corruption Vulnerability."
References
- http://blogs.technet.com/msrc/archive/2010/03/09/security-advisory-981374-released.aspx
- http://osvdb.org/62810
- http://secunia.com/advisories/38860
- http://www.kb.cert.org/vuls/id/744549
- http://www.microsoft.com/technet/security/advisory/981374.mspx
- http://www.securityfocus.com/bid/38615
- http://www.us-cert.gov/cas/techalerts/TA10-068A.html
- http://www.us-cert.gov/cas/techalerts/TA10-089A.html