CVE-2010-0249
published 2010-01-15CVE-2010-0249: Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
91.88%
99.8th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b
- →Exploit delivers a malicious HTML page with heap spray using unescape() and a chunk size of 0x80000; look for large repeated NOP sled patterns in JavaScript alongside unescape() calls in IE traffic. ↗
- →Metasploit module uses a redirect with a random alphanumeric query string parameter as a URI gate; requests lacking a query string are redirected before exploit delivery — detect the redirect pattern followed by exploit HTML. ↗
- →Metasploit module sets 'Pragma: no-cache' header on the exploit response; combined with Content-Type: text/html and heap-spray JS, this header combination can aid detection. ↗
- →The exploit manipulates a COMMENT element object and uses an array of such elements; look for JavaScript creating large arrays of COMMENT DOM objects combined with event handler manipulation in IE. ↗
- →The heap spray NOP sled uses the Unicode value %u0a0a%u0a0a; scanning memory or network captures for repeated 0x0a0a0a0a patterns is indicative of this exploit's heap spray. ↗
- ·The Metasploit module states only Internet Explorer 6 can be reliably exploited with this technique, despite the CVE affecting IE 6 through 8; detection tuned solely for IE6 user-agents may miss broader exploitation attempts. ↗
- ·The Metasploit module randomizes all JavaScript variable names and HTML content on each request, making static string-based signatures unreliable; behavioral or structural detection is required. ↗
- ·The exploit was observed in the wild as early as December 2009 (Operation Aurora); in-the-wild samples may differ from public PoC/Metasploit implementations. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Internet Explorer 6/6 SP1/7/8 Event resource management (MSRC/ARC / VU#492515)
vuldb·2026-05-20·CVSS 8.8
CVE-2010-0249 [HIGH] Microsoft Internet Explorer 6/6 SP1/7/8 Event resource management (MSRC/ARC / VU#492515)
A vulnerability was found in Microsoft Internet Explorer 6/6 SP1/7/8 and classified as very critical. This affects an unknown function of the component Event Handler. Executing a manipulation can lead to improper resource management.
This vulnerability appears as CVE-2010-0249. The attack may be performed from remote. In addition, an exploit is available.
You should disable the affected component.
GHSA
GHSA-x2mp-6fmq-52qw: Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; W
ghsa_unreviewed·2022-05-02
CVE-2010-0249 [HIGH] CWE-416 GHSA-x2mp-6fmq-52qw: Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; W
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."
VulnCheck
Microsoft Internet Explorer Use After Free
vulncheck·2010·CVSS 8.8
CVE-2010-0249 [HIGH] Microsoft Internet Explorer Use After Free
Microsoft Internet Explorer Use After Free
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailab
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2026-05-20·CVSS 8.8
CVE-2010-0249 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/979352 ; https://nvd.nist.gov/vuln/detail/CVE-2010-0249
Remediation Due Date: 2026-06-03
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)
exploitdb·2010-07-12
CVE-2010-0249 Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)
Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)
---
##
# $Id: ms10_002_aurora.rb 9787 2010-07-12 02:51:50Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "6.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer "Aurora" Memory Corruption',
'Description' => %q{
This module exploits a memory
Exploit-DB
Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)
exploitdb·2010-01-17·CVSS 8.8
CVE-2010-0249 [HIGH] Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)
Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)
---
#
# Author : Ahmed Obied ([email protected])
#
# This program acts as a web server that generates an exploit to
# target a vulnerability (CVE-2010-0249) in Internet Explorer.
# The exploit was tested using Internet Explorer 6 on Windows XP SP2.
# The exploit's payload spawns the calculator.
#
# Usage : python ie_aurora.py [port number]
#
import sys
import socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
class RequestHandler(BaseHTTPRequestHandler):
def convert_to_utf16(self, payload):
enc_payload = ''
for i in range(0, len(payload), 2):
num = 0
for j in range(0, 2):
num += (ord(payload[i + j]) & 0xff)
var obj, event_obj;
function spray_heap()
{
var chunk_size, payload, nopsled;
chun
Metasploit
MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
metasploit
MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
Hackernews
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
blogs_hackernews·2026-05-21·CVSS 7.8
CVE-2026-41091 [HIGH] Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.
The former, tracked as CVE-2026-41091 , is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges.
"Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft said in an advisory.
The second vulnerability under exploitation is CVE-2026-45498 (CVSS score:
Zscaler
Robint.us SideNote: "CuteQQ" | Zscaler
blogs_zscaler·2010-06-10·CVSS 8.8
[HIGH] Robint.us SideNote: "CuteQQ" | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Inline Detection Of Evil JavaScript | Zscaler
blogs_zscaler·2010-05-11
Inline Detection Of Evil JavaScript | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Deploys Protections for Internet Explorer Zero-Day Vulnerability | Zscaler
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler Deploys Protections for Internet Explorer Zero-Day Vulnerability | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Positioned in the Visionaries Quadrant of the Magic Quadrant for Secure Web Gateway | Zscaler
blogs_zscaler
Zscaler Positioned in the Visionaries Quadrant of the Magic Quadrant for Secure Web Gateway | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler protects against Operation Aurora | 01-20-2010
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler protects against Operation Aurora | 01-20-2010
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspxhttp://news.cnet.com/8301-27080_3-10435232-245.htmlhttp://osvdb.org/61697http://securitytracker.com/id?1023462http://support.microsoft.com/kb/979352http://www.exploit-db.com/exploits/11167http://www.kb.cert.org/vuls/id/492515http://www.microsoft.com/technet/security/advisory/979352.mspxhttp://www.securityfocus.com/bid/37815http://www.us-cert.gov/cas/techalerts/TA10-055A.htmlhttp://www.vupen.com/english/advisories/2010/0135https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://exchange.xforce.ibmcloud.com/vulnerabilities/55642https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6835http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspxhttp://news.cnet.com/8301-27080_3-10435232-245.htmlhttp://osvdb.org/61697http://securitytracker.com/id?1023462http://support.microsoft.com/kb/979352http://www.exploit-db.com/exploits/11167http://www.kb.cert.org/vuls/id/492515http://www.microsoft.com/technet/security/advisory/979352.mspxhttp://www.securityfocus.com/bid/37815http://www.us-cert.gov/cas/techalerts/TA10-055A.htmlhttp://www.vupen.com/english/advisories/2010/0135https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://exchange.xforce.ibmcloud.com/vulnerabilities/55642https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6835https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0249
2010-01-15
Published
2026-05-20
Added to CISA KEV
Exploited in the wild