Microsoft Internet Explorer Multiple Use-After-Free

by Carol~ Moderator - 11/13/12 12:03 PM

In Reply to: VULNERABILITIES / FIXES - November 13, 2012 by Carol~ Moderator

Microsoft Internet Explorer Multiple Use-After-Free Vulnerabilities

Release Date : 2012-11-13

Criticality level : Highly critical
Impact : System access
Where : Froom remote
Solution Status: Vendor Patch

Software: Microsoft Internet Explorer 9.x

Description:
Multiple vulnerabilities have been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

1) A use-after-free error within the "CFormElement" class can be exploited to dereference already freed memory.

2) A use-after-free error within the "CTreePos" class can be exploited to dereference already freed memory.

3) A use-after-free error within the "CTreeNode" class can be exploited to dereference already freed memory.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

Solution:
Apply updates.

Provided and/or discovered by:
1, 2) The vendor credits Jose A. Vazquez, spa-s3c.blogspot.com via iDefense Labs
3) The vendor credits Cheng-da Tsai (Orange), Sung-ting Tsai, and Ming-chieh Pan (Nanika), Trend Micro

Original Advisory:
Microsoft (KB2761451):
http://technet.microsoft.com/en-us/security/bulletin/ms12-071

http://secunia.com/advisories/51202/