ID CVE-2007-3902
Summary Use-after-free vulnerability in the CRecalcProperty function in mshtml.dll in Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code by calling the setExpression method and then modifying the outerHTML property of an HTML element, one variant of "Uninitialized Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:ie:5:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.01:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.01:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.01:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.01:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.01:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.01:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.01:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.01:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.01:sp4:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.01:sp4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:preview:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:preview:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.x:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.x:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0.2600:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0.2600:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0.2800:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0.2800:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0.2800.1106:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0.2800.1106:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0.2900:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0.2900:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0.2900.2180:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0.2900.2180:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0:beta:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:7.0.5730.11:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:7.0.5730.11:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 15-10-2018 - 21:32)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2014-02-24T04:03:19.117-05:00
class vulnerability
contributors
  • name Jeff Ito
    organization Secure Elements, Inc.
  • name Chandan S
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows 2000 SP4 or later is installed
    oval oval:org.mitre.oval:def:229
  • comment Microsoft Internet Explorer 5.01 SP4 is installed
    oval oval:org.mitre.oval:def:325
  • comment Microsoft Windows 2000 SP4 or later is installed
    oval oval:org.mitre.oval:def:229
  • comment Microsoft Windows XP SP2 or later is installed
    oval oval:org.mitre.oval:def:521
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows Server 2003 SP1 (x86) is installed
    oval oval:org.mitre.oval:def:565
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 SP1 for Itanium is installed
    oval oval:org.mitre.oval:def:1205
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows Server 2003 SP2 (x86) is installed
    oval oval:org.mitre.oval:def:1935
  • comment Microsoft Windows Server 2003 SP2 (x64) is installed
    oval oval:org.mitre.oval:def:2161
  • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
    oval oval:org.mitre.oval:def:1442
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP SP1 (64-bit) is installed
    oval oval:org.mitre.oval:def:480
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP x64 Edition SP2 is installed
    oval oval:org.mitre.oval:def:4193
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
description Use-after-free vulnerability in the CRecalcProperty function in mshtml.dll in Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code by calling the setExpression method and then modifying the outerHTML property of an HTML element, one variant of "Uninitialized Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:4582
status accepted
submitted 2007-12-12T14:22:00
title Uninitialized Memory Corruption Vulnerability
version 76
refmap via4
bid 26506
bugtraq 20071211 ZDI-07-073: Microsoft Internet Explorer setExpression Vulnerability
cert TA07-345A
hp
  • HPSBST02299
  • SSRT071506
idefense 20071211 Microsoft Internet Explorer JavaScript setExpression Heap Corruption Vulnerability
misc http://www.zerodayinitiative.com/advisories/ZDI-07-073.html
sectrack 1019078
secunia 28036
vupen ADV-2007-4184
xf ie-uninit-object-code-execution(38713)
Last major update 15-10-2018 - 21:32
Published 12-12-2007 - 00:46
Last modified 15-10-2018 - 21:32
Back to Top