(MS10-002) Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability II (978207)

A code execution vulnerability is present in some versions of Microsoft Internet Explorer.

A code execution vulnerability is present in some versions of Microsoft Internet Explorer. The flaw resides in Internet Explorer's handling of certain DOM operations. Internet Explorer improperly access objects which have been deleted or incorrectly initialized. Successful exploitation could allow an attacker to execute arbitrary code. Exploitation can be achieved via a maliciously crafted file, or via a maliciously-crafted web page. Failed exploit attempts may result in an application crash (DoS). DEP and JavaScript ------------------- McAfee Labs has confirmed that this vulnerability affects Microsoft Internet Explorer versions 6,7,and 8. However, currently observed exploits (1/14/2009) will only succeed in Internet Explorer installations where DEP (Data Execution Prevention) is *NOT* enabled. In addition, JavaScript must be enabled to allow successful exploitation. DEP is enabled by default in Internet Explorer 8, while Internet Explorer 7 contains a feature to enable DEP. Disabling JavaScipt, while enabling DEP, will inhibit the success of exploits which are currently in-the-wild.

Website or e-mail with malicious content

user interaction is needed

Responded and patched

Internet Explorer   8,