9.3

CVE-2010-0249

Warnung
Medienbericht
Exploit
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftInternet Explorer Version5.0.1 Updatesp4
   MicrosoftWindows 2000 Version- Updatesp4
MicrosoftInternet Explorer Version6 Updatesp1
   MicrosoftWindows 2000 Version- Updatesp4
MicrosoftInternet Explorer Version6 Update-
   MicrosoftWindows Server 2003 Version- Updatesp2 HwPlatformitanium
   MicrosoftWindows Server 2003 Version- Updatesp2 HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp3
MicrosoftInternet Explorer Version7.0
   MicrosoftWindows Server 2003 Version- Updatesp2 HwPlatformitanium
   MicrosoftWindows Server 2003 Version- Updatesp2 HwPlatformx64
   MicrosoftWindows Server 2008 Version-
   MicrosoftWindows Server 2008 Version- Updatesp2
   MicrosoftWindows Vista Version- SwEdition- HwPlatformx64
   MicrosoftWindows Vista Version- Updatesp1 SwEdition- HwPlatformx64
   MicrosoftWindows Vista Version- Updatesp2 SwEdition- HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp3
MicrosoftInternet Explorer Version8
   MicrosoftWindows 7 Version-
   MicrosoftWindows Server 2003 Version- Updatesp2 HwPlatformx64
   MicrosoftWindows Server 2008 Version-
   MicrosoftWindows Server 2008 Version- Updatesp2
   MicrosoftWindows Server 2008 Versionr2 HwPlatformitanium
   MicrosoftWindows Server 2008 Versionr2 HwPlatformx64
   MicrosoftWindows Vista Version- SwEdition- HwPlatformx64
   MicrosoftWindows Vista Version- Updatesp1 SwEdition- HwPlatformx64
   MicrosoftWindows Vista Version- Updatesp2 SwEdition- HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
   MicrosoftWindows Xp Version- Updatesp3

03.06.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Internet Explorer Use-After-Free Vulnerability

Schwachstelle

Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 91.89% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
21.05.2026 14:09
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
21.05.2026 08:24
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002
Patch
Vendor Advisory
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
Vendor Advisory
Broken Link
http://news.cnet.com/8301-27080_3-10435232-245.html
Broken Link
http://osvdb.org/61697
Broken Link
http://securitytracker.com/id?1023462
Third Party Advisory
Broken Link
VDB Entry
http://support.microsoft.com/kb/979352
Patch
Vendor Advisory
http://www.exploit-db.com/exploits/11167
Third Party Advisory
Exploit
VDB Entry
http://www.kb.cert.org/vuls/id/492515
Third Party Advisory
US Government Resource
http://www.microsoft.com/technet/security/advisory/979352.mspx
Patch
Vendor Advisory
Broken Link
http://www.securityfocus.com/bid/37815
Third Party Advisory
Exploit
Broken Link
VDB Entry
http://www.us-cert.gov/cas/techalerts/TA10-055A.html
Third Party Advisory
US Government Resource
Broken Link
http://www.vupen.com/english/advisories/2010/0135
Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/55642
Third Party Advisory
VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6835
Broken Link
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0249
US Government Resource