SB2011061403 - Multiple vulnerabilities in Microsoft Internet Explorer

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2011061403

SB2011061403 - Multiple vulnerabilities in Microsoft Internet Explorer

Published: June 14, 2011 Updated: March 20, 2017

Security Bulletin ID SB2011061403
Severity
Critical
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 73% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2011-1246)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper rendering of Web pages by Internet Explorer. A remote unauthenticated attacker can trick the victim into opening a specially crafted Web content and gain access to potentially sensitive information in Internet Explorer zone or another domain.

Successful exploitation of this vulnerability results in information disclosure.


2) Information disclosure (CVE-ID: CVE-2011-1252)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper handling of content using specific strings when sanitizing HTML by Internet Explorer. A remote unauthenticated attacker can trick the victim into opening a specially crafted Web site thet uses toStaticHTML API and gain access to potentially sensitive information on the system.

Successful exploitation of this vulnerability results in information disclosure.


3) Information disclosure (CVE-ID: CVE-2011-1258)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper rendering of Web pages by Internet Explorer. A remote unauthenticated attacker can a specially crafted Web page,  trick the victim into performing drag-and-drop operation on it and gain access to potentially sensitive information in Internet Explorer zone or another domain.

Successful exploitation of this vulnerability results in information disclosure.


4) Memory corruption (CVE-ID: CVE-2011-1250)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to link properties when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

5) Memory corruption (CVE-ID: CVE-2011-1251)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to DOM manipulation when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

6) Memory corruption (CVE-ID: CVE-2011-1254)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to drag and drop error when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

7) Memory corruption (CVE-ID: CVE-2011-1255)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.

8) Memory corruption (CVE-ID: CVE-2011-1256)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to DOM modification when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

9) Memory corruption (CVE-ID: CVE-2011-1260)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to layout when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

10) Memory corruption (CVE-ID: CVE-2011-1261)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to selection object when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

11) Memory corruption (CVE-ID: CVE-2011-1262)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to HTTP redirect when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Remediation

Install update from vendor's website.

References