CVE-2008-4844
published 2008-12-11CVE-2008-4844: Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows…
PriorityP277critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.51%
99.2th percentile
Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_2234.dll↗
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72C7B634-DEB3-48BD-90C1-6BBBFE171C75}↗
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}↗
bytes↗
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100
- →Exploit triggers use-after-free in mshtml.dll via malformed XML DSO bindings; look for crafted HTML/XML documents using nested SPAN or MARQUEE elements combined with XML Island, XML DSO, or Tabular Data Control (TDC) tags targeting Internet Explorer. ↗
- →Payload explore.exe is packed with UPX; detect UPX-packed PE files dropped to disk as an initial triage indicator for this campaign. ↗
- →Monitor for creation of rootkit driver files NsPsDk01.sys through NsPsDk04.sys in %SystemRoot%\System32; these are dropped by explore.exe and registered as services. ↗
- →Snort rules for CVE-2008-4844 were released; reference VRT advisory at http://www.snort.org/vrt/advisories/vrt-rules-2008-12-11.html for rule details. ↗
- →Exploit uses heap spray with NOP sled pattern %u9090%u9090 and repeated block %u0c0c%u0c0c to position shellcode; detect this pattern in HTTP responses to IE clients. ↗
- →The Metasploit module ms08_078_xml_corruption uses .NET DLL memory technique to create a fake vtable at a known location; detect browser exploitation attempts leveraging .NET DLL memory spraying in conjunction with XML data binding requests. ↗
- →BHO CLSID {AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8} and {72C7B634-DEB3-48BD-90C1-6BBBFE171C75} are malicious; alert on registration of these CLSIDs in the Browser Helper Objects registry key. ↗
- ·The exploit URL http://wieyou.com and payload-hosting domains had very short TTLs (under 3 hours); these IOCs are historical and likely no longer active, but are useful for retrospective log analysis. ↗
- ·The shellcode in the Vista PoC (EDB-7410) executes calc.exe (CMD=C:\WINDOWS\system32\calc.exe) and is a proof-of-concept payload; real-world payloads differ and the byte signature should be used for PoC/scanner detection only. ↗
- ·Over 40 files were downloaded and executed during the observed campaign; the listed filenames and domains represent a subset of observed payloads and C2 infrastructure, not an exhaustive list. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4h75-mp4x-555f: Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml
ghsa_unreviewed·2022-05-14
CVE-2008-4844 [HIGH] GHSA-4h75-mp4x-555f: Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml
Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
VulnCheck
Microsoft Internet Explorer CRecordInstance::TransferToDestination Remote Code Execution
vulncheck·2008·CVSS 9.3
CVE-2008-4844 [CRITICAL] Microsoft Internet Explorer CRecordInstance::TransferToDestination Remote Code Execution
Microsoft Internet Explorer CRecordInstance::TransferToDestination Remote Code Execution
Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2008-4844; https://learn.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - Data Binding Memory Corruption (MS08-078) (Metasploit)
exploitdb·2010-09-20
CVE-2008-4844 Microsoft Internet Explorer - Data Binding Memory Corruption (MS08-078) (Metasploit)
Microsoft Internet Explorer - Data Binding Memory Corruption (MS08-078) (Metasploit)
---
##
# $Id: ms08_078_xml_corruption.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
# :ua_minver => "7.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Data Binding Memory Corruption',
'Description' => %q{
This module
Exploit-DB
Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow
exploitdb·2008-12-10
CVE-2008-4844 Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow
Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow
---
// k`sOSe 12/10/2008 - tested on winxp sp3, explorer 7.0.5730.13
// windows/exec - 141 bytes
// http://www.metasploit.com
// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7403.zip (2008-iesploit.tar.gz)
# milw0rm.com [2008-12-10]
Exploit-DB
Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow
exploitdb·2008-12-10
CVE-2008-4844 Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow
Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow
---
// k`sOSe 12/10/2008
// Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
// Heap spray address adjusted for Vista - muts / offensive-security.com
// http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
// http://www.offensive-security.com/0day/iesploit-vista.rar
// windows/exec - 141 bytes
// http://www.metasploit.com
// EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40
Metasploit
MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
metasploit
MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
Threat Research Center
Trend Reports
Malware
## Web-Based Threats: First Half 2019
Fang Liu
Tao Yan
Jin Chen
Rongbo Shao
Zhanglin He
Bo Qu
Published: November 1, 2019
Malware
Trend Reports
Vulnerabilities
ELink
Exploit Kits
Malicious Domains
Malicious URL
Phishing
## Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
# Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
We observed a significant decrease in the activity of the Fallout exploit kit in the first quarter of 2019 while at the same time observing an increase in activity of the Kaixin exploit kit in the second quarter. Kaixin is primarily observed hosted in China and with the increased popularit
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
[HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, phishing scams.
The key findings in this quarter’s report in summary are:
1. After Q4 saw an increase in malicious URLs, ending a trend of decreasing malicious URLs starting in Q1 and continuing through Q3.
2. For the first time in our tracking, the United States is not the number one
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: May 30, 2019
Malware
Trend Reports
Vulnerabilities
Azorult
CVE-2018-8174
ELink
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, ph
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Threat Research Center
Trend Reports
Vulnerabilities
## Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: September 5, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2018-8174
ELink
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here . We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerabil
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here. We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerability we discuss below) using the Double Kill exploit.
What we found this quarter was that vulnerabilities under attack remained consistent, including very old vulnerabilities. One new vulnerability used zero-day attacks did rocket to near the top of the list.
The United States remained the num
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
[CRITICAL] The Old and New: Current Trends in Web-based Threats
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1583 malicious URLs across 496 different domains. Attackers used at least 8 old and public vulnerabilities as shown in Figure 1. The Top 3 CVEs used are
1. CVE-2014-6332: exploited by 774 malicious URLs
2. CVE-2016-0189: exploited by 219 malicious URLs
3. CVE-2015-5122: exploited by 85 malici
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
CVE-2014-6332 [CRITICAL] The Old and New: Current Trends in Web-based Threats
Threat Research Center
Trend Reports
Vulnerabilities
## The Old and New: Current Trends in Web-based Threats
Tao Yan
Bo Qu
Zhanglin He
Rongbo Shao
Published: June 20, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2014-6332
CVE-2016-0189
EK
Exploit kit
KaiXin
Rig
Sundown
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1
Talos
Rootkit takes advantage of MS08-078 vulnerability
blogs_talos·2008-12-18·CVSS 9.3
CVE-2008-4844 [CRITICAL] Rootkit takes advantage of MS08-078 vulnerability
On December 17 2008, Microsoft released security update MS08-078 to patch a vulnerability found in several versions of Microsoft Internet Explorer. The root cause for this vulnerability was found to be the incorrect handling of certain XML tags in Internet Explorer that references already freed memory in mshtml.dll. Attacks using this vector trigger prior coverage on our CVE-2008-4844 Snort rules.
An example of a payload downloaded through this vulnerability is a file called explore.exe. This executable is surreptitiously pushed to a victim's computer via an exploit at one time found at http://wieyou.com (most exploits are taken down within hours). The file is packed with UPX to make it more difficult to analyze. Dynamic analysis techniques in a controlled environment provide the informat
Talos
Rootkit takes advantage of MS08-078 vulnerability
blogs_talos·2008-12-18·CVSS 9.3
CVE-2008-4844 [CRITICAL] Rootkit takes advantage of MS08-078 vulnerability
## Rootkit takes advantage of MS08-078 vulnerability
On December 17 2008, Microsoft released security update MS08-078 to patch a vulnerability found in several versions of Microsoft Internet Explorer. The root cause for this vulnerability was found to be the incorrect handling of certain XML tags in Internet Explorer that references already freed memory in mshtml.dll. Attacks using this vector trigger prior coverage on our CVE-2008-4844 Snort rules.
An example of a payload downloaded through this vulnerability is a file called explore.exe. This executable is surreptitiously pushed to a victim's computer via an exploit at one time found at http://wieyou.com (most exploits are taken down within hours). The file is packed with UPX to make it more difficult to analyze. Dynamic analysis techn
Talos
Out of band Microsoft Security Advisory for Internet Explorer CVE-2008-4844 and SQL Server vulnerability CVE-2008-5416
blogs_talos·2008-12-11·CVSS 9.3
CVE-2008-4844 [CRITICAL] Out of band Microsoft Security Advisory for Internet Explorer CVE-2008-4844 and SQL Server vulnerability CVE-2008-5416
## Out of band Microsoft Security Advisory for Internet Explorer CVE-2008-4844 and SQL Server vulnerability CVE-2008-5416
Today, Microsoft released a security advisory for Internet Explorer. Microsoft SQL server also has a problem with a stored procedure. In response, we released some new rules to detect attacks against these two products. Details on the rules are here http://www.snort.org/vrt/advisories/vrt-rules-2008-12-11.html .
Talos
Out of band Microsoft Security Advisory for Internet Explorer CVE-2008-4844 and SQL Server vulnerability CVE-2008-5416
blogs_talos·2008-12-11·CVSS 9.3
[CRITICAL] Out of band Microsoft Security Advisory for Internet Explorer CVE-2008-4844 and SQL Server vulnerability CVE-2008-5416
Today, Microsoft released a security advisory for Internet Explorer. Microsoft SQL server also has a problem with a stored procedure. In response, we released some new rules to detect attacks against these two products. Details on the rules are here http://www.snort.org/vrt/advisories/vrt-rules-2008-12-11.html.
http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspxhttp://code.google.com/p/inception-h2hc/http://isc.sans.org/diary.html?storyid=5458http://marc.info/?l=bugtraq&m=123015308222620&w=2http://secunia.com/advisories/33089http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundayshttp://www.kb.cert.org/vuls/id/493881http://www.microsoft.com/technet/security/advisory/961051.mspxhttp://www.scanw.com/blog/archives/303http://www.securityfocus.com/bid/32721http://www.securitytracker.com/id?1021381http://www.us-cert.gov/cas/techalerts/TA08-344A.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-352A.htmlhttp://www.vupen.com/english/advisories/2008/3391https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-078https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6007https://www.exploit-db.com/exploits/7403https://www.exploit-db.com/exploits/7410https://www.exploit-db.com/exploits/7477https://www.exploit-db.com/exploits/7583http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspxhttp://code.google.com/p/inception-h2hc/http://isc.sans.org/diary.html?storyid=5458http://marc.info/?l=bugtraq&m=123015308222620&w=2http://secunia.com/advisories/33089http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundayshttp://www.kb.cert.org/vuls/id/493881http://www.microsoft.com/technet/security/advisory/961051.mspxhttp://www.scanw.com/blog/archives/303http://www.securityfocus.com/bid/32721http://www.securitytracker.com/id?1021381http://www.us-cert.gov/cas/techalerts/TA08-344A.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-352A.htmlhttp://www.vupen.com/english/advisories/2008/3391https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-078https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6007https://www.exploit-db.com/exploits/7403https://www.exploit-db.com/exploits/7410https://www.exploit-db.com/exploits/7477https://www.exploit-db.com/exploits/7583
2008-12-11
Published
Exploited in the wild