OSVDB ID: 81130

Title: Microsoft IE vgx.dll VML Style Deleted Object Handling Remote Memory Corruption

Info

Disclosure

Apr 10, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Apr 10, 2012

Description

A memory corruption flaw exists in Microsoft Internet Explorer. The program fails to sanitize user-supplied input when handling VML Styles and accessing a deleted object which may result in memory corruption. This may potentially allow a remote attacker to execute arbitrary code.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

Products

Microsoft Corporation	Internet Explorer	6
		7
		8
		9

References

Security Tracker: 1026901
CVE ID: 2012-0172 (see also: NVD)
Microsoft Knowledge Base Article: 2675157
Secunia Advisory ID: 48724
Bugtraq ID: 52906
ISS X-Force ID: 74383 74384
Related OSVDB ID: 81126 81127 81128 81129
Packet Storm: http://packetstormsecurity.org/files/111944/Microsoft-Internet-Explorer-VML-Remote-Code-Execution.html
Mail List Post: http://seclists.org/bugtraq/2012/Apr/123
Vendor Specific Advisory URL: http://technet.microsoft.com/en-us/security/bulletin/MS12-023
Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-12-066/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/81130

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit