McAfee > Theat Center > Vulnerability Detail Page

Timeline

2/3/2010

A proof of concept has been released.

1/21/2010

Vendor has provided a patch.

1/18/2010

A proof of concept has been released.

1/15/2010

A proof of concept has been released.

1/15/2010

A proof of concept has been released.

1/14/2010

Vendor has provided information on the vulnerability.

1/13/2010

Exploit code has been released.

Description

A code execution vulnerability is present in some versions of Microsoft Internet Explorer. The flaw resides in Internet Explorer's handling of certain DOM operations. Internet Explorer improperly access objects which have been deleted or incorrectly initialized. Successful exploitation could allow an attacker to execute arbitrary code. Exploitation can be achieved via a maliciously crafted file, or via a maliciously-crafted web page. Failed exploit attempts may result in an application crash (DoS). DEP and JavaScript ------------------- McAfee Labs has confirmed that this vulnerability affects Microsoft Internet Explorer versions 6,7,and 8. However, currently observed exploits (1/14/2009) will only succeed in Internet Explorer installations where DEP (Data Execution Prevention) is *NOT* enabled. In addition, JavaScript must be enabled to allow successful exploitation. DEP is enabled by default in Internet Explorer 8, while Internet Explorer 7 contains a feature to enable DEP. Disabling JavaScipt, while enabling DEP, will inhibit the success of exploits which are currently in-the-wild.

McAfee Product Mitigation & Recommendations

Recommendations

The vendor has released an update to address this issue: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

McAfee Product Mitigation

McAfee Foundstone

Signature:

(MS10-002) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability II (978207)

Signature identifier:

7677

Release date:

1/14/2010

McAfee Intrushield

The UDS release of January 18 contains the signature "UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption III" which provides coverage.

Signature:

UDS

Signature identifier:

0x40278200

Release date:

1/18/2009

First released in:

UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption

McAfee Anti-Virus protection

Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll) in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele(5860).

Signature:

DATs

Signature identifier:

5862

Release date:

1/15/2009

First released in:

Exploit-Comele / Roarur.dr / Roarur.dll

McAfee Anti-Virus protection

Partial coverage is provided as Exploit-Comele in the 5862 DATs, released January 15, for known exploits. Updated coverage will be released on February 6 in the 5882 DATs.

Signature:

DATs

Signature identifier:

5882

Release date:

2/6/2010

First released in:

Exploit-Comele

McAfee Anti-Virus protection

Partial coverage will provided as Exploit-Comele!demo in 5882 DATs, to be released February 6, for known exploits.

Signature:

DATs

Signature identifier:

5882

Release date:

2/6/2010

First released in:

Exploit-Comele!demo

The remedy Vflash of 1/21/2010 contains remedies for this issue.

Signature:

Cumulative Security Update for Internet Explorer (978207)

Release date:

1/15/2010

Additional Resources

Security Advisory 979352 – Vulnerability in Internet Explorer Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/979352.mspx

Microsoft Security Bulletin MS10-002 - Critical Cumulative Security Update for Internet Explorer (978207)

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

All Information

Timeline -

2/3/2010

A proof of concept has been released.

1/21/2010

Vendor has provided a patch.

1/18/2010

A proof of concept has been released.

1/15/2010

A proof of concept has been released.

1/15/2010

A proof of concept has been released.

1/14/2010

Vendor has provided information on the vulnerability.

1/13/2010

Exploit code has been released.

Description -

A code execution vulnerability is present in some versions of Microsoft Internet Explorer. The flaw resides in Internet Explorer's handling of certain DOM operations. Internet Explorer improperly access objects which have been deleted or incorrectly initialized. Successful exploitation could allow an attacker to execute arbitrary code. Exploitation can be achieved via a maliciously crafted file, or via a maliciously-crafted web page. Failed exploit attempts may result in an application crash (DoS). DEP and JavaScript ------------------- McAfee Labs has confirmed that this vulnerability affects Microsoft Internet Explorer versions 6,7,and 8. However, currently observed exploits (1/14/2009) will only succeed in Internet Explorer installations where DEP (Data Execution Prevention) is *NOT* enabled. In addition, JavaScript must be enabled to allow successful exploitation. DEP is enabled by default in Internet Explorer 8, while Internet Explorer 7 contains a feature to enable DEP. Disabling JavaScipt, while enabling DEP, will inhibit the success of exploits which are currently in-the-wild.

McAfee Product Mitigation & Recommendations

Recommendations -

The vendor has released an update to address this issue: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

McAfee Product Mitigation

McAfee Foundstone

Signature:

(MS10-002) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability II (978207)

Signature identifier:

7677

Release date:

1/14/2010

McAfee Intrushield

The UDS release of January 18 contains the signature "UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption III" which provides coverage.

Signature:

UDS

Signature identifier:

0x40278200

Release date:

1/18/2009

First released in:

UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption

McAfee Anti-Virus protection

Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll) in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele(5860).

Signature:

DATs

Signature identifier:

5862

Release date:

1/15/2009

First released in:

Exploit-Comele / Roarur.dr / Roarur.dll

McAfee Anti-Virus protection

Partial coverage is provided as Exploit-Comele in the 5862 DATs, released January 15, for known exploits. Updated coverage will be released on February 6 in the 5882 DATs.

Signature:

DATs

Signature identifier:

5882

Release date:

2/6/2010

First released in:

Exploit-Comele

McAfee Anti-Virus protection

Partial coverage will provided as Exploit-Comele!demo in 5882 DATs, to be released February 6, for known exploits.

Signature:

DATs

Signature identifier:

5882

Release date:

2/6/2010

First released in:

Exploit-Comele!demo

The remedy Vflash of 1/21/2010 contains remedies for this issue.

Signature:

Cumulative Security Update for Internet Explorer (978207)

Release date:

1/15/2010

Additional Resources

Additional Resources -

Security Advisory 979352 – Vulnerability in Internet Explorer Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/979352.mspx

Microsoft Security Bulletin MS10-002 - Critical Cumulative Security Update for Internet Explorer (978207)

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx