CVE-2010-0248
published 2010-01-22CVE-2010-0248: Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing…
PriorityP263high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
53.09%
98.8th percentile
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability."
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; file.data; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; fast_pattern; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, cve CVE_2010_0248, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
- →Detect exploit trigger pattern in HTTP response body: presence of 'document.getElementById' with 'tableid' and '.cloneNode', combined with 'cells.urns' and 'cells.item' — all three content matches are required per the ET rule.
- →The exploit targets CTableRowCellsCollectionCacheItem::GetNext in mshtml; a use-after-free is triggered by manipulating table row cell collection objects. Look for IE process crashes or heap corruption in mshtml.dll. ↗
- →Heap spray targets address 0x0c0c0c0c; detection of large repeated allocations filling this address range in IE process memory is indicative of exploitation. ↗
- →The Metasploit module fingerprints victims via User-Agent: targets 'NT 5.1' + 'MSIE 8' (IE 8 on XP SP3) and 'NT 6.1' + 'MSIE 8' (IE 8 on Windows 7). Anomalous server-side UA-based redirection to exploit pages may be detectable. ↗
- →ROP chain for IE 8 on XP SP3 uses msvcrt.dll gadgets; key ROP pivot return address is 0x77c15ed5. Presence of this address on the stack during IE execution is a strong exploit indicator. ↗
- →ROP chain for IE 8 on Windows 7 SP0 uses JRE (msvcr71.dll) gadgets; key ROP pivot return address is 0x7c348b05. Presence of this address on the stack during IE execution is a strong exploit indicator. ↗
- ·The Metasploit module only supports IE 8 on Windows XP SP3 and IE 8 on Windows 7 SP0 as named targets; other IE versions (6, 6 SP1, 7) are affected by the CVE but will receive a 404 from this module. ↗
- ·The JRE ROP chain targets msvcr71.dll (Java Runtime Environment); this chain only works if JRE is installed on the Windows 7 target. Without JRE, the :jre ROP chain will fail. ↗
- ·Payload bad characters are restricted to null bytes only; payload space is limited to 1000 bytes with NOPs disabled. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Internet Explorer 6/7/8 code injection (MS10-002 / Nessus ID 44110)
vuldb·2026-04-29·CVSS 8.1
CVE-2010-0248 [HIGH] Microsoft Internet Explorer 6/7/8 code injection (MS10-002 / Nessus ID 44110)
A vulnerability was found in Microsoft Internet Explorer 6/7/8. It has been rated as critical. This affects an unknown function. The manipulation leads to code injection.
This vulnerability is listed as CVE-2010-0248. The attack may be initiated remotely. There is no available exploit.
Applying a patch is the recommended action to fix this issue.
GHSA
GHSA-vqxq-fjhv-69jf: Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by
ghsa_unreviewed·2022-05-02
CVE-2010-0248 [HIGH] CWE-416 GHSA-vqxq-fjhv-69jf: Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability."
Suricata
ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt
suricata·2012-04-04
CVE-2010-0248 ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt
ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; file.data; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; fast_pattern; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plu
Exploit-DB
Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)
exploitdb·2012-03-22
CVE-2010-0248 Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)
Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS10-002 Internet Explorer Object Memory Use-After-Free",
'Description' => %q{
This module exploits a vulnerability found in Internet Explorer's
mshtml component. Due to the way IE handles objects in memory, it is
possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext
to be used even after it gets freed, therefore allowing remote code
execution under the context of the user.
This particular v
Metasploit
MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
metasploit
MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.
No writeups or analysis indexed.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://exchange.xforce.ibmcloud.com/vulnerabilities/55778https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8267https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://exchange.xforce.ibmcloud.com/vulnerabilities/55778https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8267
2010-01-22
Published