ThreatLevelBeta
Planned Fix

CVE-2010-0249

Remote Code Execution in Microsoft Internet Explorer
Loading...

Summary

A use-after-free in Internet Explorer's HTML object handling lets a remote attacker run code when a victim opens a crafted webpage. The flaw was exploited in the wild as part of Operation Aurora and required no authentication, but it did require user interaction. Successful exploitation executes code as the logged-on user, which can lead to full compromise if that user has administrative rights.

Why Planned Fix?

5/6
No authentication required
Commonly internet-facing deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.comexploit-db.com
Impact

Execute arbitrary code as the logged-on user

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker hosts or injects a malicious HTML page, then lures a victim to open it in Internet Explorer. The page uses crafted JavaScript and DOM/object operations, often combined with heap spraying, to trigger the browser's use-after-free in the HTML engine. When the dangling object reference is hit, attacker-controlled shellcode runs in the context of the browser user.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Internet Explorer6, 6 SP1, 7, and 8
Description

Microsoft web browser for viewing websites and web-based content on Windows.

Deployment:Commonly internet-facing
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentHTML object handling in the browser's mshtml/Trident engine.

HTML object handling in the browser's mshtml/Trident engine.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Enable DEP on IE6/IE7 and use Microsoft mitigations such as setting the Internet zone to High or disabling Active Scripting to reduce exposure until patched.

Enable DEP on IE6/IE7 and use Microsoft mitigations such as setting the Internet zone to High or disabling Active Scripting to reduce exposure until patched.

learn.microsoft.com
Patch

Not available

Update
Apply Microsoft Security Bulletin MS10-002 / KB978207 for the affected Internet Explorer releases.

Apply Microsoft Security Bulletin MS10-002 / KB978207 for the affected Internet Explorer releases.

learn.microsoft.com
Threat Intelligence
EPSS Score90.1%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
kb.cert.org
Threat Actors

No known threat actors

Detection Rules2
Snort
BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt
Other
HTTP:STC:IE:USE-AFTER-FREE

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-416 Use After Free
|
NVD:CVE-2010-0249
|
Version From:
|
Version Upto:

Affected Software (CPE) (5)

  • cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:6:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*

Sources

9
SourceArticle
learn.microsoft.comMicrosoft Security Bulletin MS10-002
learn.microsoft.comMicrosoft Security Advisory 979352
nvd.nist.govCVE-2010-0249 Detail
kb.cert.orgVU#492515 Microsoft Internet Explorer HTML object memory corruption vulnerability
www.tenable.comCVE-2010-0249 Plugins
www.snort.orgSnort Rule Document 1:37947
www.juniper.netHTTP: Microsoft Internet Explorer Use-After-Free Remote Code Execution (CVE-2010-0249)
github.comms10_002_aurora.rb
www.exploit-db.comMicrosoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)

Priority History

Planned FixLoading...

Initial analysis