Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Internet Explorer multiple security vulnerabilities
updated since 13.06.2012
Published:25.06.2012
Source:
SecurityVulns ID:12404
Type:client
Threat Level:
9/10
Description:Multiple memory corruptions, code executions, information leakage.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
CVE:CVE-2012-1882 (Microsoft Internet Explorer 6 through 9 does not block cross-domain scrolling events, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Scrolling Events Information Disclosure Vulnerability.")
 CVE-2012-1881 (Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "OnRowsInserted Event Remote Code Execution Vulnerability.")
 CVE-2012-1880 (Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "insertRow Remote Code Execution Vulnerability.")
 CVE-2012-1879 (Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access an undefined memory location, aka "insertAdjacentText Remote Code Execution Vulnerability.")
 CVE-2012-1878 (Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "OnBeforeDeactivate Event Remote Code Execution Vulnerability.")
 CVE-2012-1877 (Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Title Element Change Remote Code Execution Vulnerability.")
 CVE-2012-1876 (Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.)
 CVE-2012-1875 (Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability.")
 CVE-2012-1874 (Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows user-assisted remote attackers to execute arbitrary code by accessing a deleted object, aka "Developer Toolbar Remote Code Execution Vulnerability.")
 CVE-2012-1873 (Microsoft Internet Explorer 7 through 9 does not properly create and initialize string data, which allows remote attackers to obtain sensitive information from process memory via a crafted HTML document, aka "Null Byte Information Disclosure Vulnerability.")
 CVE-2012-1872 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 6 through 9 allows remote attackers to inject arbitrary web script or HTML via crafted character sequences with EUC-JP encoding, aka "EUC-JP Character Encoding Vulnerability.")
 CVE-2012-1858 (The toStaticHTML API (aka the SafeHTML component) in Microsoft Internet Explorer 8 and 9, Communicator 2007 R2, and Lync 2010 and 2010 Attendee does not properly handle event attributes and script, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document, aka "HTML Sanitization Vulnerability.")
 CVE-2012-1523 (Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Center Element Remote Code Execution Vulnerability.")
Original documentdocumentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer "CollectionCache" Remote Use-after-free (MS12-037) (25.06.2012)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer "GetAtomTable" Remote Use-after-free (MS12-037 / CVE-2012-1875) (25.06.2012)
 documentVUPEN Security Research, VUPEN Security Research - Microsoft Internet Explorer "Col" Element Remote Heap Overflow (MS12-037 / CVE-2012-1876) (25.06.2012)
 documentvulnhunt_(at)_gmail.com, [CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability (17.06.2012)
 documentvulnhunt_(at)_gmail.com, [CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability (17.06.2012)
 documentZDI, ZDI-12-093 : (Pwn2Own) Microsoft Internet Explorer Fixed Table Colspan Remote Code Execution Vulnerability (17.06.2012)
Files:Microsoft Security Bulletin MS12-037 - Critical Cumulative Security Update for Internet Explorer (2699988)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod