CVE-2012-1875 : Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbit

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."

Published 2012-06-12 22:55:02

Updated 2023-12-07 18:38:57

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2012-1875

Probability of exploitation activity in the next 30 days: 97.06%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2012-1875

MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption

Disclosure Date: 2012-06-12

First seen: 2020-04-26

exploit/windows/browser/ms12_037_same_id

This module exploits a memory corruption flaw in Internet Explorer 8 when handling objects with the same ID property. At the moment this module targets IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging as well as the heap spray method seen

More information

CVSS scores for CVE-2012-1875

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2012-1875

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1875

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15663

Repository / Oval Repository
http://www.us-cert.gov/cas/techalerts/TA12-164A.html

Microsoft Updates for Multiple Vulnerabilities | CISA
US Government Resource

CVEs referencing this url
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037

Microsoft Security Bulletin MS12-037 - Critical | Microsoft Docs

CVEs referencing this url

Products affected by CVE-2012-1875

Microsoft » Internet Explorer » Version: 8
cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows 7 » X64 Edition
When used together with: Microsoft » Windows 7 » X86 Edition
When used together with: Microsoft » Windows 7 » Update SP1 X86 Edition
When used together with: Microsoft » Windows 7 » Version: N/A
When used together with: Microsoft » Windows 7 » Version: N/A Update SP1 X86 Edition
When used together with: Microsoft » Windows Server 2003 » Update SP2
When used together with: Microsoft » Windows Server 2008 » Update SP2 Itanium Edition
When used together with: Microsoft » Windows Server 2008 » Update SP2 X64 Edition
When used together with: Microsoft » Windows Server 2008 » Update SP2 X86 Edition
When used together with: Microsoft » Windows Server 2008 » Version: N/A Update SP2 Itanium Edition
When used together with: Microsoft » Windows Server 2008 » Version: R2 Itanium Edition
When used together with: Microsoft » Windows Server 2008 » Version: R2 X64 Edition
When used together with: Microsoft » Windows Vista » Update SP2
When used together with: Microsoft » Windows Xp » Update SP3
When used together with: Microsoft » Windows Xp » Version: N/A Update SP2 X64 Edition