Internet Explorer HTML+TIME element OuterText memory corruption

2010-12-16T00:00:00
ID SAINT:50FD83D05F9755C6A85B0AE9560D6E3E
Type saint
Reporter SAINT Corporation
Modified 2010-12-16T00:00:00

Description

Added: 12/16/2010
CVE: CVE-2010-3346
BID: 45261
OSVDB: 69829

Background

The HTML+TIME component of Internet Explorer adds timing and media synchronization support to HTML pages.

Problem

A memory corruption vulnerability in the HTML+TIME component allows command execution when a user loads a specially crafted web page in Internet Explorer.

Resolution

Apply the update referenced in Microsoft Security Bulletin 10-090.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-289/>

Limitations

Exploit works on Internet Explorer 7 on Windows XP SP3 with security update KB980182, and requires a user to load the exploit page in Internet Explorer.

Platforms

Windows XP