1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Internet Explorer Cumulative Security Update

Report ID: SA201006555
Source: F-Secure
Date of Discovery: 14.12.2010
Criticality: Critical
Affects:
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Compromise From: From remote
Compromise Type: Exposure of system information
Remote code execution

Summary

A cumulative security update has been issued for Internet Explorer, addressing seven reported vulnerabilities that could lead to arbitrary code execution and information disclosure.

 

Detailed Description

Microsoft has issued a cumulative security update for Internet Explorer, which addresses multiple vulnerabilities that could result in remote code execution and information disclosure in affected systems. Seven vulnerabilities that were identified and fixed are as follows:

 

HTML object memory corruption vulnerabilities (CVE-2010-3340 and CVE-2010-3343)

Two remote code execution vulnerabilities that resulted when Internet Explorer try to access an object that has been incorrectly initialized or deleted. These issues have been fixed in the update by modifying the way IE handles objects in memory. 

 

Cross-domain information disclosure vulnerabilities (CVE-2010-3342 and CVE-2010-3348)

Two information disclosure vulnerabilities that are present when Internet Explorer incorrectly allows cached data to be rendered as HTML, potentially bypassing domain restriction. The update resolves these issues by modifying the way IE handles script.

 

HTML element memory corruption vulnerabilities (CVE-2010-3345 and CVE-2010-3346)

Two remote code execution vulnerabilities that resulted when Internet Explorer attempts to access an object that has been incorrectly initialized or deleted. These issues have been fixed in the update by modifying the way IE handles objects in memory. 

 

Uninitialized memory corruption vulnerability (CVE-2010-3962)

A remote code execution vulnerability that resulted when Internet Explorer try to access an object that has not been initialized or has been deleted. This issue has been fixed in the update by modifying the way IE handles objects in memory.

Solution

Install the latest patch for applicable version, available from (http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx)

Original Reference

CVE Reference

CVE-2010-3340
CVE-2010-3342
CVE-2010-3343
CVE-2010-3345
CVE-2010-3346
CVE-2010-3348
CVE-2010-3962