cbcvebase.
CVE-2010-3329
published 2010-10-13

CVE-2010-3329: mshtmled.dll in Microsoft Internet Explorer 7 and 8 allows remote attackers to execute arbitrary code via a crafted Microsoft Office document that causes the…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.84%
97.9th percentile
mshtmled.dll in Microsoft Internet Explorer 7 and 8 allows remote attackers to execute arbitrary code via a crafted Microsoft Office document that causes the HtmlDlgHelper class destructor to access uninitialized memory, aka "Uninitialized Memory Corruption Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamemshtmled.dll
otherCLASSID:3050f4e1-98b5-11cf-bb82-00aa00bdce0b
versionmshtmled.dll v8.0.6001.18702
versionmshtmled.dll v8.0.6001.18000
versionmshtmled.dll v7.0.6000.17023
versionmshtmled.dll v7.0.6000.17080
  • Monitor for instantiation of the HtmlDlgHelper ActiveX control (CLSID 3050f4e1-98b5-11cf-bb82-00aa00bdce0b) from within Microsoft Office documents (.XLS, .DOC), particularly in Office 2003 where the crash is triggered even if the user declines the ActiveX prompt.
  • Detect crashes or access violations in mshtmled.dll originating from the CHtmlDlgHelper destructor call stack: mshtmled!ReleaseInterface -> mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper -> mshtmled!ATL::CComAggObject::Release, especially when spawned from EXCEL.EXE or Office processes.
  • Flag Office documents (.XLS, .DOC) that embed an ActiveX object with CLASSID 3050f4e1-98b5-11cf-bb82-00aa00bdce0b, as this is the trigger for the HtmlDlgHelper memory corruption vulnerability.
  • In Office 2003, the vulnerability is triggered regardless of user response to the ActiveX safety prompt — detection should not rely solely on user acceptance of the ActiveX dialog.
  • ·In Microsoft Office 2007 and Office 2010, the HtmlDlgHelper ActiveX control is disabled by default, significantly reducing attack surface on those platforms.
  • ·The ActiveX control is marked 'Not Safe for Initialization' and normally prompts the user before execution; however, in Office 2003 the crash occurs even when the user denies the prompt, making user-interaction mitigations unreliable for that version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.