cbcvebase.
CVE-2009-3672
published 2009-12-02

CVE-2009-3672: Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.80%
99.3th percentile
Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, related to Cascading Style Sheets (CSS) and mshtml.dll, aka "HTML Object Memory Corruption Vulnerability." NOTE: some of these details are obtained from third party information. NOTE: this issue was originally assigned CVE-2009-4054, but Microsoft assigned a duplicate identifier of CVE-2009-3672. CVE consumers should use this identifier instead of CVE-2009-4054.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamemshtml.dll
commanddocument.getElementsByTagName('STYLE')[0].outerHTML++
other%u0c0c%u0c0c
  • Detect exploit trigger pattern: JavaScript call to getElementsByTagName('STYLE') followed by assignment to outerHTML on the returned element, which is the specific trigger for the memory corruption.
  • Detect heap spray using the 0x0c0c0c0c address pattern (%u0c0c%u0c0c) in JavaScript unescape calls within HTML delivered to Internet Explorer, a hallmark of this exploit's shellcode staging.
  • HTTP responses exploiting this vulnerability use gzip compression and chunked transfer encoding; monitor for text/html responses with both 'Content-Encoding: gzip' and 'Transfer-Encoding: chunked' containing STYLE tag manipulation JavaScript.
  • Flag HTML pages targeting IE6/IE7 on Windows that contain inline JavaScript performing outerHTML modification on a STYLE element retrieved via getElementsByTagName, combined with a large unescape-based heap spray loop.
  • Monitor for known crash/EIP values in mshtml.dll associated with this vulnerability on specific OS/IE version combinations: 0x501d6bd8 (Vista IE7 mshtml 7.0.6001.18203), 0xc5fe7dc9 (XP SP3 IE6 mshtml 6.0.2900.5848), 0x6e767fae (2k3 SP2 IE6 mshtml 6.0.3790.4470), 0x6cf941a7 (2k3 SP2 IE7 mshtml 7.0.6000.16825).
  • ·The Metasploit module uses randomized JavaScript variable names (rand_text_alpha) for all key variables, making static string-based signatures unreliable; detection must focus on behavioral patterns (getElementsByTagName('STYLE') + outerHTML mutation + heap spray) rather than fixed variable names.
  • ·The exploit payload space is limited to 1000 bytes with null bytes as bad characters; staged/larger payloads may not function correctly in this exploit.
  • ·On Windows XP SP3 with IE7 (mshtml.dll 7.0.5730.13), the exploit results in a null dereference rather than reliable code execution, reducing its effectiveness on that specific target.
  • ·This CVE was originally assigned CVE-2009-4054; CVE-2009-3672 is the authoritative Microsoft-assigned identifier. Detection rules and threat intel referencing CVE-2009-4054 should be updated to use CVE-2009-3672.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.