CVE-2010-3329
published 2010-10-13CVE-2010-3329: mshtmled.dll in Microsoft Internet Explorer 7 and 8 allows remote attackers to execute arbitrary code via a crafted Microsoft Office document that causes the…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.84%
97.9th percentile
mshtmled.dll in Microsoft Internet Explorer 7 and 8 allows remote attackers to execute arbitrary code via a crafted Microsoft Office document that causes the HtmlDlgHelper class destructor to access uninitialized memory, aka "Uninitialized Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the HtmlDlgHelper ActiveX control (CLSID 3050f4e1-98b5-11cf-bb82-00aa00bdce0b) from within Microsoft Office documents (.XLS, .DOC), particularly in Office 2003 where the crash is triggered even if the user declines the ActiveX prompt. ↗
- →Detect crashes or access violations in mshtmled.dll originating from the CHtmlDlgHelper destructor call stack: mshtmled!ReleaseInterface -> mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper -> mshtmled!ATL::CComAggObject::Release, especially when spawned from EXCEL.EXE or Office processes. ↗
- →Flag Office documents (.XLS, .DOC) that embed an ActiveX object with CLASSID 3050f4e1-98b5-11cf-bb82-00aa00bdce0b, as this is the trigger for the HtmlDlgHelper memory corruption vulnerability. ↗
- →In Office 2003, the vulnerability is triggered regardless of user response to the ActiveX safety prompt — detection should not rely solely on user acceptance of the ActiveX dialog. ↗
- ·In Microsoft Office 2007 and Office 2010, the HtmlDlgHelper ActiveX control is disabled by default, significantly reducing attack surface on those platforms. ↗
- ·The ActiveX control is marked 'Not Safe for Initialization' and normally prompts the user before execution; however, in Office 2003 the crash occurs even when the user denies the prompt, making user-interaction mitigations unreliable for that version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://support.avaya.com/css/P8/documents/100113324http://www.securityfocus.com/bid/43706http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7482http://support.avaya.com/css/P8/documents/100113324http://www.securityfocus.com/bid/43706http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7482
2010-10-13
Published