CVE-2008-3475
published 2008-10-15CVE-2008-3475: Microsoft Internet Explorer 6 does not properly handle errors related to using the componentFromPoint method on xml objects that have been (1) incorrectly…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
39.86%
98.4th percentile
Microsoft Internet Explorer 6 does not properly handle errors related to using the componentFromPoint method on xml objects that have been (1) incorrectly initialized or (2) deleted, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "Uninitialized Memory Corruption Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Improper Initialization
mitre_cwe
CWE-665 Improper Initialization
CWE-665: Improper Initialization
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Modes of Introduction:
Phase: Implementation
Note: This weakness can occur in code paths that are not well-tested, such as rare error conditions. This is because the use of uninitialized data would be noticed as a bug during frequently-used functionality.
Phase: Operation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory, Read Application Data. When reusing a resource such as memory or a program
CWE
Use of Uninitialized Resource
mitre_cwe
CWE-908 Use of Uninitialized Resource
CWE-908: Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory, Read Application Data. When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Scope: Availability. Impact: DoS: Crash, Exit, or Restart. The uninitialized resource may contain values that cause program flow to change in ways that t
http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.htmlhttp://marc.info/?l=bugtraq&m=122479227205998&w=2http://www.securityfocus.com/archive/1/497380/100/0/threadedhttp://www.securityfocus.com/bid/31617http://www.securitytracker.com/id?1021047http://www.us-cert.gov/cas/techalerts/TA08-288A.htmlhttp://www.vupen.com/english/advisories/2008/2809http://www.zerodayinitiative.com/advisories/ZDI-08-069/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-058https://exchange.xforce.ibmcloud.com/vulnerabilities/45563https://exchange.xforce.ibmcloud.com/vulnerabilities/45565https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13151http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.htmlhttp://marc.info/?l=bugtraq&m=122479227205998&w=2http://www.securityfocus.com/archive/1/497380/100/0/threadedhttp://www.securityfocus.com/bid/31617http://www.securitytracker.com/id?1021047http://www.us-cert.gov/cas/techalerts/TA08-288A.htmlhttp://www.vupen.com/english/advisories/2008/2809http://www.zerodayinitiative.com/advisories/ZDI-08-069/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-058https://exchange.xforce.ibmcloud.com/vulnerabilities/45563https://exchange.xforce.ibmcloud.com/vulnerabilities/45565https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13151
2008-10-15
Published