cbcvebase.
CVE-2010-3189
published 2010-08-31

CVE-2010-3189: The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.22%
98.4th percentile
The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicrointernet_security

Detection & IOCsextracted from sources · hover to see the quote

filenameUfPBCtrl.dll
otherCLSID:15DBC3F9-9F0A-472E-8061-043D9CEC52F0
commandextSetOwner()
  • Detect instantiation of the vulnerable ActiveX control by its CLSID (15DBC3F9-9F0A-472E-8061-043D9CEC52F0) in HTML/script content, which is the attack vector for this exploit.
  • Monitor for heap-spray patterns in JavaScript: large unescape() loops filling ~0x40000-byte blocks up to 500 allocations, characteristic of this exploit's heap spray setup.
  • Flag HTTP responses of Content-Type text/html that contain both the CLSID 15DBC3F9-9F0A-472E-8061-043D9CEC52F0 and unescape() heap-spray JavaScript as a strong indicator of exploitation attempts.
  • ·The RET address 0x00C750A1 is specific to Windows XP SP0-SP2 / Windows Vista with IE 6.0 SP0-SP2 / IE 7; the exploit target list only covers this single configuration, so detections relying on this exact return address will not generalise to other OS/browser combinations.
  • ·The Metasploit module randomises all JavaScript variable names on each request, so signature-based detection on variable names will be ineffective; focus on structural patterns (CLSID + unescape heap spray) instead.
  • ·The payload bad-character constraint excludes null bytes (\x00) only; shellcode detection rules must account for this minimal encoding requirement.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.