VUPEN Security Research - Microsoft Internet Explorer Layouts Use-after-free Vulnerability (CVE-2011-0094)
2011-04-17T00:00:00
ID SECURITYVULNS:DOC:26142 Type securityvulns Reporter Securityvulns Modified 2011-04-17T00:00:00
Description
VUPEN Security Research - Microsoft Internet Explorer Layouts Use-after-free
Vulnerability (CVE-2011-0094)
http://www.vupen.com/english/research.php
I. BACKGROUND
"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)
II. DESCRIPTION
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Internet Explorer.
The vulnerability is caused by a use-after-free error in the
"CSpliceTreeEngine::InsertSplice()" function within the MSHTML library
when handling layouts, which could be exploited by remote attackers to
compromise a vulnerable system by tricking a user into visiting a specially
crafted web page.
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
III. AFFECTED PRODUCTS
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
IV. Binary Analysis & Exploits/PoCs
In-depth binary analysis of the vulnerability and a code execution exploit
are available through the VUPEN Binary Analysis & Exploits Service :
To proactively protect critical networks and infrastructures against
unpatched
vulnerabilities and reduce risks related to zero-day attacks, VUPEN shares
its
vulnerability research with governments and organizations members of the
VUPEN
Threat Protection Program (TPP).
VUPEN TPP customers receive fully detailed and technical reports about
security
vulnerabilities discovered by VUPEN and in advance of their public
disclosure.
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.
Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.
VUPEN Vulnerability Notification Service (VNS) :
http://www.vupen.com/english/services/vns-index.php
VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php
VUPEN Threat Protection Program for Govs (TPP) :
http://www.vupen.com/english/services/tpp-index.php
VUPEN Web Application Security Scanner (WASS) :
http://www.vupen.com/english/services/wass-index.php
2010-05-20 - Vulnerability Discovered by VUPEN
2011-04-12 - MS11-018 security update available
{"id": "SECURITYVULNS:DOC:26142", "bulletinFamily": "software", "title": "VUPEN Security Research - Microsoft Internet Explorer Layouts Use-after-free Vulnerability (CVE-2011-0094)", "description": "VUPEN Security Research - Microsoft Internet Explorer Layouts Use-after-free \r\nVulnerability (CVE-2011-0094)\r\n\r\nhttp://www.vupen.com/english/research.php\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"Microsoft Internet Explorer is a web browser developed by Microsoft and\r\nincluded as part of the Microsoft Windows line of operating systems with\r\nmore than 60% of the worldwide usage share of web browsers." (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Internet Explorer.\r\n\r\nThe vulnerability is caused by a use-after-free error in the\r\n"CSpliceTreeEngine::InsertSplice()" function within the MSHTML library\r\nwhen handling layouts, which could be exploited by remote attackers to\r\ncompromise a vulnerable system by tricking a user into visiting a specially\r\ncrafted web page.\r\n\r\nCVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Internet Explorer 7\r\nMicrosoft Internet Explorer 6\r\n\r\nMicrosoft Windows XP Service Pack 3\r\nMicrosoft Windows XP Professional x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 Service Pack 2\r\nMicrosoft Windows Server 2003 x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 with SP2 for Itanium-based Systems\r\nMicrosoft Windows Vista Service Pack 1\r\nMicrosoft Windows Vista Service Pack 2\r\nMicrosoft Windows Vista x64 Edition Service Pack 1\r\nMicrosoft Windows Vista x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2008 for 32-bit Systems\r\nMicrosoft Windows Server 2008 for 32-bit Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for x64-based Systems\r\nMicrosoft Windows Server 2008 for x64-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth binary analysis of the vulnerability and a code execution exploit\r\nare available through the VUPEN Binary Analysis & Exploits Service :\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nTo proactively protect critical networks and infrastructures against \r\nunpatched\r\nvulnerabilities and reduce risks related to zero-day attacks, VUPEN shares \r\nits\r\nvulnerability research with governments and organizations members of the \r\nVUPEN\r\nThreat Protection Program (TPP).\r\n\r\nVUPEN TPP customers receive fully detailed and technical reports about \r\nsecurity\r\nvulnerabilities discovered by VUPEN and in advance of their public \r\ndisclosure.\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply the MS11-018 security update.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Nicolas Joly of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is a leading IT security research company providing vulnerability\r\nmanagement and security intelligence solutions which enable enterprises\r\nand institutions to eliminate vulnerabilities before they can be exploited,\r\nensure security policy compliance and meaningfully measure and manage risks.\r\n\r\nGovernmental and federal agencies, and global enterprises in the financial\r\nservices, insurance, manufacturing and technology industries rely on VUPEN\r\nto improve their security, prioritize resources, cut time and costs, and\r\nstay ahead of the latest threats.\r\n\r\n* VUPEN Vulnerability Notification Service (VNS) :\r\nhttp://www.vupen.com/english/services/vns-index.php\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program for Govs (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n* VUPEN Web Application Security Scanner (WASS) :\r\nhttp://www.vupen.com/english/services/wass-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://www.vupen.com/english/research-vuln.php\r\nhttp://www.vupen.com/english/advisories/2011/0937\r\nhttp://www.microsoft.com/technet/security/bulletin/MS11-018.mspx\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2010-05-20 - Vulnerability Discovered by VUPEN\r\n2011-04-12 - MS11-018 security update available\r\n", "published": "2011-04-17T00:00:00", "modified": "2011-04-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26142", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-0094"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:39", "edition": 1, "viewCount": 13, "enchantments": {"score": {"value": 7.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2011-216"]}, {"type": "cve", "idList": ["CVE-2011-0094"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-018.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900278", "OPENVAS:900278"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26116", "SECURITYVULNS:VULN:11578"]}, {"type": "seebug", "idList": ["SSV:20478"]}, {"type": "threatpost", "idList": ["THREATPOST:B55EB8317F225C33315C24F0621A69F2", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE"]}], "rev": 4}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2011-216"]}, {"type": "cve", "idList": ["CVE-2011-0094"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-018.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900278"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26116"]}, {"type": "seebug", "idList": ["SSV:20478"]}]}, "exploitation": null, "vulnersScore": 7.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"seebug": [{"lastseen": "2017-11-19T18:05:05", "description": "BUGTRAQ ID: 47190\r\nCVE ID: CVE-2011-0094\r\n\r\nWindows Internet Explorer\uff0c\u539f\u79f0Microsoft Internet Explorer\uff0c\u7b80\u79f0MSIE\uff08\u4e00\u822c\u79f0\u4e3aInternet Explorer\uff0c\u7b80\u79f0IE\uff09\uff0c\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5e03\u5c40\u5904\u7406\u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\nIE\u8bbf\u95ee\u672a\u88ab\u6b63\u786e\u521d\u59cb\u5316\u6216\u5df2\u5220\u9664\u7684\u5bf9\u8c61\u65f6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u6784\u5efa\u7279\u5236\u7684\u7f51\u9875\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\u7528\u6237\u67e5\u770b\u8be5\u7f51\u9875\u65f6\u53ef\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff0c\u6210\u529f\u5229\u7528\u53ef\u83b7\u53d6\u4e0e\u767b\u5f55\u7528\u6237\u76f8\u540c\u7684\u7528\u6237\u6743\u9650\u3002\u5982\u679c\u7528\u7ba1\u7406\u5458\u6743\u9650\u767b\u5f55\u5219\u53ef\u83b7\u53d6\u53d7\u5f71\u54cd\u7cfb\u7edf\u7684\u5b8c\u5168\u63a7\u5236\u6743\u3002\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u5b89\u88c5\u7a0b\u5e8f\uff1b\u67e5\u770b\u3001\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\uff1b\u6216\u4ee5\u5b8c\u5168\u7528\u6237\u6743\u9650\u521b\u5efa\u65b0\u8d26\u6237\u3002\n\nMicrosoft Internet Explorer 7.x\r\nMicrosoft Internet Explorer 6.x\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u4ee5\u7eaf\u6587\u672c\u683c\u5f0f\u8bfb\u53d6\u7535\u5b50\u90ae\u4ef6\r\n\r\n* \u5c06\u201cInternet"\u548c\u672c\u5730\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\u4ee5\u5728\u8fd9\u4e9b\u533a\u57df\u4e2d\u7981\u7528ActiveX\u63a7\u4ef6\u548c\r\nActive\u811a\u672c\u3002\r\n\r\n* \u914d\u7f6eIE\uff0c\u5728\u8fd0\u884cActive\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u5728\u4e92\u8054\u7f51\u548c\u5185\u7f51\u5b89\u5168\u533a\u57df\u4e2d\u7981\u7528Active\u811a\u672c\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS11-018\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\nMS11-018\uff1aCumulative Security Update for Internet Explorer (2497640)\r\n\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS11-018.asp", "cvss3": {}, "published": "2011-04-15T00:00:00", "title": "Microsoft IE\u5e03\u5c40\u5904\u7406\u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(MS11-018)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-0094"], "modified": "2011-04-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20478", "id": "SSV:20478", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "description": "iDefense Security Advisory 04.12.11\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nApr 12, 2011\r\n\r\nI. BACKGROUND\r\n\r\nInternet Explorer is a graphical web browser developed by Microsoft\r\nCorp. that has been included with Microsoft Windows since 1995. For\r\nmore information about Internet Explorer, please the visit following\r\nwebsite: <BR> <BR>\r\nhttp://www.microsoft.com/windows/internet-explorer/default.aspx\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a use-after-free vulnerability in Microsoft\r\nCorp.'s Internet Explorer could allow an attacker to execute arbitrary\r\ncode with the privileges of the current user. <BR> <BR> The\r\nvulnerability occurs when an object is exchanged during a call to a\r\ncertain function. The object's memory is freed, however a reference to\r\nthe object remains. When the reference is later used to access the\r\nobject, this now invalid memory is treated as a valid object and one of\r\nthe object members is used to make an indirect function call. This may\r\nresult in the execution of arbitrary code.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability results in the execution of arbitrary\r\ncode with the privileges of the user viewing the Web page. To exploit\r\nthis vulnerability, a targeted user must load a malicious Web page\r\ncreated by an attacker. An attacker typically accomplishes this via\r\nsocial engineering or injecting content into compromised, trusted\r\nsites.\r\n\r\nIV. DETECTION\r\n\r\nInternet Explorer versions 6 and 7 are vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nSince the vulnerability is triggered through JavaScript, disabling\r\nActive Scripting will prevent the exploitation of this vulnerability.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft Corp. has released patches which address this issue.\r\nInformation about downloadable vendor updates can be found by clicking\r\non the URLs shown.\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS11-018.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2011-0094 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n11/24/2010 Initial Vendor Notification\r\n11/24/2010 Initial Vendor Reply\r\n04/12/2011 Coordinated Public Disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was reported to iDefense by anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2011 Verisign\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "cvss3": {}, "published": "2011-04-13T00:00:00", "title": "iDefense Security Advisory 04.12.11: Microsoft Internet Explorer Use-After-Free Memory Corruption Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-0094"], "modified": "2011-04-13T00:00:00", "id": "SECURITYVULNS:DOC:26116", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26116", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:16:42", "description": "Multiple memory corruptions and information leaks.", "edition": 2, "cvss3": {}, "published": "2011-04-17T00:00:00", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-0094", "CVE-2011-1244", "CVE-2011-0346", "CVE-2011-1345", "CVE-2011-1245"], "modified": "2011-04-17T00:00:00", "id": "SECURITYVULNS:VULN:11578", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11578", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:31:30", "description": "A remote code execution vulnerability has been reported in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. The vulnerability is due to a memory corruption error in Internet Explorer when handling layouts. To trigger this issue, an attacker may create a malicious web page that will cause Internet Explorer to exit unexpectedly. Successful exploitation of this vulnerability will crash the browser, and may allow execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2011-04-05T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer Layouts Handling Memory Corruption (MS11-018; CVE-2011-0094)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0094"], "modified": "2014-02-26T00:00:00", "id": "CPAI-2011-216", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:30:05", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka \"Layouts Handling Memory Corruption Vulnerability.\"", "cvss3": {}, "published": "2011-04-13T18:55:00", "type": "cve", "title": "CVE-2011-0094", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0094"], "modified": "2021-07-23T15:04:00", "cpe": ["cpe:/a:microsoft:internet_explorer:7", "cpe:/a:microsoft:internet_explorer:6"], "id": "CVE-2011-0094", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0094", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T23:05:47", "description": "[](<https://threatpost.com/april-patch-tuesday-fixes-critical-ie-smb-bugs-041211/>)Microsoft has released its [April Patch Tuesday fixes](<http://blogs.technet.com/b/msrc/archive/2011/04/12/april-2011-security-bulletin-release.aspx>), a large group of patches that includes updates for several critical holes in Internet Explorer as well as a patch that finally fixes the SMB client bug that disclosed publicly in February.\n\nThe most critical of the 17 bulletins that Microsoft released on Tuesday is MS11-018, which fixes a total of five vulnerabilities in Internet Explorer. Among those bugs is one that was used to [compromise IE 8 at the Pwn2Own contest last month at CanSecWest](<https://threatpost.com/apple-safari-and-internet-explorer-8-go-down-pwn2own-iphone-next-031011/>). Microsoft security officials said that they are aware of some targeted attacks against that vulnerability (CVE-2011-0094), as well as another IE vulnerability, an object management memory corruption flaw (CVE-2011-1345).\n\n\u201cIt took **three vulnerabilities** to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does \nnot affect IE9, was the primary vulnerability used to gain code \nexecution. A second vulnerability was used to make the exploit more \nreliable and a third was used to escape IE\u2019s protected mode,\u201d Fermin J. Serna of the MSRC Engineering Team wrote in a [blog post](<http://blogs.technet.com/b/srd/>). \n\nOne of the other critical vulnerabilities fixed in April was the [SMB client bug](<http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-019-and-ms11-020-april-smb-updates.aspx>) that was disclosed in mid-February on Full Disclosure. Microsoft patched that flaw, as well as a separate SMB server-side bug that was found internally by Microsoft\u2019s own researchers. The company has spent about a year looking for ways to improve the security of SMB as well as the reliability of updates to it, officials said.\n\n\u201cOver the past two years SMB has been a target for security \nresearchers, and Microsoft released several security updates as new \nissues were reported. As part of each of the preceding updates, we \nfollowed our standard \u201chacking for variations\u201d approach, but with a \ntighter timeline mandated by the need to address reported issues as \nquickly as possible,\u201d Microsoft\u2019s Mark Wodrich said. \n\n\u201cIt was clear that even without additional issues being reported, \nthere were things we could focus on and improve in terms of our internal \nsecurity testing, code auditing and design reviews. As a result, we \nkicked off a longer-term project to identify additional security issues \nin the SMB code, with an eye on releasing fixes in a future security \nbulletin. This \u201cSMB Security Scrub\u201d led to the fixes included in the \nApril bulletin release.\u201d\n\nMicrosoft also patched five other ciritcal vulnerabilities, including an ActiveX problem in Windows. The full list of patches and the software that\u2019s affected is available on the [Microsoft TechNet](<http://blogs.technet.com/b/srd/>) site.\n", "cvss3": {}, "published": "2011-04-12T18:26:33", "type": "threatpost", "title": "April Patch Tuesday Fixes Critical IE, SMB Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2011-0094", "CVE-2011-1345", "CVE-2017-11882"], "modified": "2013-04-17T16:34:45", "id": "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "href": "https://threatpost.com/april-patch-tuesday-fixes-critical-ie-smb-bugs-041211/75128/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:43", "description": "[](<https://threatpost.com/exploithub-offering-bounties-and-residuals-exploits-100411/>)NSS Labs\u2019 announced today that their penetration-testing site, [Exploithub](<https://www.exploithub.com/>), will be offering bounties to researchers for developing exploits for12 high-value vulnerabilities.\n\nExploithub is putting up $4,400 for working exploits against what the company describes as a \u201cdirty dozen\u201d of client-side vulnerabilities. And, in what may be a first in the vulnerability research field, the company is offering the authors the chance to earn residual payments for subsequent use of the vulnerabilities.\n\nLaunched in October of 2010, Exploithub is described as an \u201ciTunes for exploits\u201d \u2013 an easy to use market for penetration testers and IT staff to obtain high quality exploits to use against software they are evaluating. \n\nBut every iTunes needs its music, so NSS has opted to put money on the table to attract talented vulnerability researchers and prime the pump. NSS has identified 12 known vulnerabilities by their Common Vulnerabitiles and Exposures (CVE) numbers. They are: CVE-2011-1256, CVE-2011-1266, CVE-2011-1261, CVE-2011-1262, CVE-2011-1963, CVE-2011-1964, CVE-2011-0094, CVE-2011-0038, CVE-2011-0035, CVE-2010-3346, CVE-2011-2110, and CVE-2011-0628. Each exploit will be worth somewhere between $100 and $500. Ten of the eligible vulnerabilities are in Microsoft\u2019s Internet Explorer browser, with the remaining two being in Adobe Flash.\n\nSubmitted bounty candidates must be client-side remote exploits resulting in code execution, PoC and denial of service does not count, and the exploits under the bounty program cannot currently be available in the Metasploit framework community or other exploit toolkits. The first participant to submit a working exploit wins. \n\n\u201cClient-side exploits are the weapons of choice for modern attacks, including spear phishing and so-called APTs. Security professionals need to catch up,\u201d said Rick Moy, NSS Labs CEO in a statement. \u201cThis program is designed to accelerate the development of testing tools, as well as help researchers do well by doing good.\u201d\n", "cvss3": {}, "published": "2011-10-05T13:11:31", "type": "threatpost", "title": "ExploitHub Offering Bounties \u2013 And Residuals \u2013 for Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3346", "CVE-2011-0035", "CVE-2011-0038", "CVE-2011-0094", "CVE-2011-0628", "CVE-2011-1256", "CVE-2011-1261", "CVE-2011-1262", "CVE-2011-1266", "CVE-2011-1963", "CVE-2011-1964", "CVE-2011-2110"], "modified": "2013-04-17T20:07:08", "id": "THREATPOST:B55EB8317F225C33315C24F0621A69F2", "href": "https://threatpost.com/exploithub-offering-bounties-and-residuals-exploits-100411/75718/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2022-05-19T15:06:51", "description": "The remote host is missing Internet Explorer (IE) Security Update 2497640.\n\nThe installed version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.", "cvss3": {"score": null, "vector": null}, "published": "2011-04-13T00:00:00", "type": "nessus", "title": "MS11-018: Cumulative Security Update for Internet Explorer (2497640)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-0094", "CVE-2011-0346", "CVE-2011-1244", "CVE-2011-1245", "CVE-2011-1345"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS11-018.NASL", "href": "https://www.tenable.com/plugins/nessus/53375", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(53375);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2011-0094\", \"CVE-2011-0346\", \"CVE-2011-1244\", \"CVE-2011-1245\", \"CVE-2011-1345\");\n script_bugtraq_id(45639, 46821, 47190, 47191, 47192);\n script_xref(name:\"CERT\", value:\"427980\");\n script_xref(name:\"MSFT\", value:\"MS11-018\");\n script_xref(name:\"MSKB\", value:\"2497640\");\n\n script_name(english:\"MS11-018: Cumulative Security Update for Internet Explorer (2497640)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Arbitrary code can be executed on the remote host through a web\nbrowser.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2497640.\n\nThe installed version of IE is affected by several vulnerabilities that\nmay allow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-018\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\nand 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-018';\nkb = '2497640';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n\nif (\n # Windows 7 and Windows Server 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.21676\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.17573\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.20908\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Mshtml.dll\", version:\"8.0.7600.16766\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.23143\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.19048\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22592\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18407\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.22857\", min_version:\"7.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.18602\", min_version:\"7.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23141\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19046\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21299\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17097\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.4835\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23141\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.19046\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21299\", min_version:\"7.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17097\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6082\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:59:58", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-018.", "cvss3": {}, "published": "2011-04-13T00:00:00", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2497640)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-0094", "CVE-2011-1244", "CVE-2011-0346", "CVE-2011-1345", "CVE-2011-1245"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562310900278", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900278", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2497640)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900278\");\n script_version(\"2020-06-09T10:15:40+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 10:15:40 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0094\", \"CVE-2011-0346\", \"CVE-2011-1244\",\n \"CVE-2011-1245\", \"CVE-2011-1345\");\n script_bugtraq_id(47190, 45639, 47191, 47192, 46821);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2497640)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2497640\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-018\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code in the context of the application. Failed exploit attempts will result\n in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to\n\n - memory corruptions when Internet Explorer attempts to access incorrectly\n initialized memory or an object under certain conditions.\n\n - during certain processes, Internet Explorer incorrectly allows attackers\n to access and read content from different domains.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-018.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer){\n exit(0);\n}\n\n## MS11-018 Hotfix (2497640)\nif(hotfix_missing(name:\"2497640\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllPath = sysPath + \"\\system32\\Iepeers.dll\";\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:dllPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:dllPath);\n\ndllVer = GetVer(file:file, share:share);\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.6081\") ||\n version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6000.17095\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21297\")||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.19043\") ||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23138\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.3790.4834\") ||\n version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6000.17095\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21297\")||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.19043\") ||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23138\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6001.18000\", test_version2:\"7.0.6001.18601\")||\n version_in_range(version:dllVer, test_version:\"7.0.6001.22000\", test_version2:\"7.0.6001.22856\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.19000\", test_version2:\"8.0.6001.19047\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23142\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18406\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22591\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.19000\", test_version2:\"8.0.6001.19047\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23142\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.16765\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.20907\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-20T08:55:09", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-018.", "cvss3": {}, "published": "2011-04-13T00:00:00", "type": "openvas", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (2497640)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-0094", "CVE-2011-1244", "CVE-2011-0346", "CVE-2011-1345", "CVE-2011-1245"], "modified": "2017-07-05T00:00:00", "id": "OPENVAS:900278", "href": "http://plugins.openvas.org/nasl.php?oid=900278", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-018.nasl 6526 2017-07-05 05:43:52Z cfischer $\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (2497640)\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute arbitrary\n code in the context of the application. Failed exploit attempts will result\n in denial-of-service conditions.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Internet Explorer version 6.x/7.x/8.x\";\ntag_insight = \"Multiple flaws are due to\n - memory corruptions when Internet Explorer attempts to access incorrectly\n initialized memory or an object under certain conditions.\n - during certain processes, Internet Explorer incorrectly allows attackers\n to access and read content from different domains.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-018.\";\n\nif(description)\n{\n script_id(900278);\n script_version(\"$Revision: 6526 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 07:43:52 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-13 17:05:53 +0200 (Wed, 13 Apr 2011)\");\n script_cve_id(\"CVE-2011-0094\", \"CVE-2011-0346\", \"CVE-2011-1244\",\n \"CVE-2011-1245\", \"CVE-2011-1345\");\n script_bugtraq_id(47190, 45639, 47191, 47192, 46821);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (2497640)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2497640\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_require_ports(139, 445);\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer){\n exit(0);\n}\n\n## MS11-018 Hotfix (2497640)\nif(hotfix_missing(name:\"2497640\") == 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllPath = sysPath + \"\\system32\\Iepeers.dll\";\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:dllPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:dllPath);\n\n## Get Version from Iepeers.dll file\ndllVer = GetVer(file:file, share:share);\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n ## Check for Iepeers.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.2900.6081\") ||\n version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6000.17095\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21297\")||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.19043\") ||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23138\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Iepeers.dll version\n if(version_in_range(version:dllVer, test_version:\"6.0\", test_version2:\"6.0.3790.4834\") ||\n version_in_range(version:dllVer, test_version:\"7.0\", test_version2:\"7.0.6000.17095\")||\n version_in_range(version:dllVer, test_version:\"7.0.6000.21000\", test_version2:\"7.0.6000.21297\")||\n version_in_range(version:dllVer, test_version:\"8.0\", test_version2:\"8.0.6001.19043\") ||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23138\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n ## Check for Iepeers.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6001.18000\", test_version2:\"7.0.6001.18601\")||\n version_in_range(version:dllVer, test_version:\"7.0.6001.22000\", test_version2:\"7.0.6001.22856\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.19000\", test_version2:\"8.0.6001.19047\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23142\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Iepeers.dll version\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18406\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22591\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.19000\", test_version2:\"8.0.6001.19047\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.23000\", test_version2:\"8.0.6001.23142\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Iepeers.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7600.16000\", test_version2:\"8.0.7600.16765\")||\n version_in_range(version:dllVer, test_version:\"8.0.7600.20000\", test_version2:\"8.0.7600.20907\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
