Summary
This host is missing a critical security update according to Microsoft Bulletin MS10-035.
Impact
Successful exploitation will let remote attackers to bypass security restrictions, gain knowledge of sensitive information or compromise a vulnerable system.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx
Insight
Multiple flaws are due to:
- An error in the way the browser handles content using specific strings when sanitizing HTML via the 'toStaticHTML' API.
- An uninitialized memory error when processing certain HTML data, which could be exploited by attackers to execute arbitrary code via a malicious web page.
- Caching data and incorrectly allowing the cached content to be rendered as HTML, which could allow attackers to bypass domain restrictions.
Affected
Microsoft Internet Explorer version 5.x/6.x/7.x/8.x
References
Severity
Classification
-
CVE CVE-2010-0255, CVE-2010-1257, CVE-2010-1259, CVE-2010-1260, CVE-2010-1261, CVE-2010-1262 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Microsoft IE Developer Tools WMITools and Windows Messenger ActiveX Control Vulnerability (2508272)
- Active Directory Could Allow Remote Code Execution Vulnerability (957280)
- Microsoft DNS Resolution Remote Code Execution Vulnerability (2509553)
- Microsoft .NET Framework Multiple Vulnerabilities (2916607)
- Microsoft Embedded OpenType Font Engine Remote Code Execution Vulnerabilities (972270)