Zero-Day Internet Explorer Table Handling Memory Corruption Vulnerability
( Microsoft Security Advisory 2458511, CVE-2010-3962 )
Summary
A memory corruption vulnerability has been reported in Microsoft Internet Explorer. A remote attacker could exploit this issue by convincing a user to open a maliciously crafted HTML file with Internet Explorer, which will cause the browser to crash and may allow execution of arbitrary commands.
Details
The vulnerability is due to the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. To trigger this issue, an attacker may create a malicious web page that will cause Internet Explorer to exit unexpectedly. Successful exploitation of this vulnerability will crash the browser, and may allow execution of arbitrary code on the vulnerable system. There are reports that this flaw is already being exploited in targeted attacks.
Affected Products
Internet Explorer versions 6, 7, and 8 have this vulnerability.
Solution
As of November 7, 2010 Microsoft has not announced a patch for this vulnerability. However, Check Point IPS Software Blade and NGX SmartDefense provide immediate network protection in the latest IPS update by detecting and blocking attempts to exploit this issue. For more information, see CPAI-2010-310.
Originally Published:
Last Updated: 07-Nov-2010