cbcvebase.
CVE-2010-0249
published 2010-01-15

CVE-2010-0249: Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
91.88%
99.8th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenameaurora.gif
other%u0a0a%u0a0a
bytes
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b
  • Exploit delivers a malicious HTML page with heap spray using unescape() and a chunk size of 0x80000; look for large repeated NOP sled patterns in JavaScript alongside unescape() calls in IE traffic.
  • Metasploit module uses a redirect with a random alphanumeric query string parameter as a URI gate; requests lacking a query string are redirected before exploit delivery — detect the redirect pattern followed by exploit HTML.
  • Metasploit module sets 'Pragma: no-cache' header on the exploit response; combined with Content-Type: text/html and heap-spray JS, this header combination can aid detection.
  • The exploit manipulates a COMMENT element object and uses an array of such elements; look for JavaScript creating large arrays of COMMENT DOM objects combined with event handler manipulation in IE.
  • The heap spray NOP sled uses the Unicode value %u0a0a%u0a0a; scanning memory or network captures for repeated 0x0a0a0a0a patterns is indicative of this exploit's heap spray.
  • ·The Metasploit module states only Internet Explorer 6 can be reliably exploited with this technique, despite the CVE affecting IE 6 through 8; detection tuned solely for IE6 user-agents may miss broader exploitation attempts.
  • ·The Metasploit module randomizes all JavaScript variable names and HTML content on each request, making static string-based signatures unreliable; behavioral or structural detection is required.
  • ·The exploit was observed in the wild as early as December 2009 (Operation Aurora); in-the-wild samples may differ from public PoC/Metasploit implementations.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.