cbcvebase.
CVE-2012-1875
published 2012-06-12

CVE-2012-1875: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.66%
99.1th percentile
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

ip58.64.143.244
ip66.153.86.14
ip111.68.9.93
snort
SID 23125
  • CVE-2012-1875 exploits target IE8 specifically via DOM manipulation of objects with the same ID property; detection should focus on IE8 user-agent strings combined with suspicious heap spray JavaScript patterns.
  • The Metasploit module for CVE-2012-1875 targets IE 8 on Windows XP SP3 and Windows 7 SP1; network detection should key on HTML responses containing heap spray JavaScript delivered to MSIE 8.0 user agents.
  • The exploit uses ROP chains from msvcrt.dll and msvcr71.dll (JRE); process migration via 'migrate -f' is the default post-exploitation action, which may be visible in process telemetry.
  • CVE-2012-1875 was exploited by both Hidden Lynx (VOHO campaign) and the Elderwood Gang (Operation Aurora); detections should be correlated with C2 IPs 58.64.143.244, 66.153.86.14, and 111.68.9.93.
  • The crash signature for CVE-2012-1875 shows an access violation in mshtml.dll at DllGetClassObject+0xafd09 with eax=1c1c1c0c, indicative of a use-after-free on a heap-sprayed address; memory forensics should look for this pattern.
  • ·The Metasploit module supports an optional OBFUSCATE flag that enables JavaScript obfuscation and randomizes function/variable names (trigger, feng_shui, crash, do_unescape, main, MyA, imgTest), which will defeat static string-based signatures.
  • ·Snort SID 23125 coverage was verified against all known exploits in the wild at time of writing but requires continuous review as new exploit variants are released.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.