MS12-037 Cumulative Security Update for Internet Explorer
2012-06-12 This security update resolves one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities addressed in this bulletin:
Bulletin details at Microsoft.com
Vulnerabilities addressed in this bulletin:
- HTML Sanitization Vulnerability
- An information disclosure vulnerability exists in the way that Internet Explorer handles content using specific strings when sanitizing HTML. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could inflict cross-site scripting on the user, allowing the attacker to execute script in the user's security context against a site that is using the toStaticHTML method.
CVE-2012-1858 - EUC-JP Character Encoding Vulnerability
- An information disclosure vulnerability exists in Internet Explorer that could allow script to perform Cross-Site Scripting attacks. An attacker could exploit the vulnerability by inserting specially crafted strings in to a website, resulting in information disclosure when a user viewed the website.
CVE-2012-1872 - Null Byte Information Disclosure Vulnerability
- An information disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access and read Internet Explorer's process memory. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from Internet Explorer's process memory.
CVE-2012-1873 - Developer Toolbar Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1874 - Same ID Property Remote Code Execution Vulnerability
- remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1875 - Center Element Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1523 - Col Element Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that does not exist. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1876 - Title Element Change Remote Code Execution Vulneraiblity
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1877 - OnBeforeDeactivate Event Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1878 - insertAdjacentText Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an undefined memory location. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1879 - insertRow Remote Code Execution Vulnerability
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1880 - OnRowsInserted Event Remote Code Execution Vulneraiblity
- A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE-2012-1881 - Scrolling Events Information Disclosure Vulnerability
- An information disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage. An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone.
CVE-2012-1882
Bulletin details at Microsoft.com
Related CVE Entries
Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Center Element Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.60%
Published
2012-06-12
Updated
2023-12-07
The toStaticHTML API (aka the SafeHTML component) in Microsoft Internet Explorer 8 and 9, Communicator 2007 R2, and Lync 2010 and 2010 Attendee does not properly handle event attributes and script, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document, aka "HTML Sanitization Vulnerability."
Max CVSS
4.3
EPSS Score
96.43%
Published
2012-06-12
Updated
2023-12-07
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 6 through 9 allows remote attackers to inject arbitrary web script or HTML via crafted character sequences with EUC-JP encoding, aka "EUC-JP Character Encoding Vulnerability."
Max CVSS
4.3
EPSS Score
0.58%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 7 through 9 does not properly create and initialize string data, which allows remote attackers to obtain sensitive information from process memory via a crafted HTML document, aka "Null Byte Information Disclosure Vulnerability."
Max CVSS
4.3
EPSS Score
0.88%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows user-assisted remote attackers to execute arbitrary code by accessing a deleted object, aka "Developer Toolbar Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.60%
Published
2012-06-12
Updated
2023-12-07
CVE-2012-1875
Public exploit
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
97.06%
Published
2012-06-12
Updated
2023-12-07
CVE-2012-1876
Public exploit
Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.
Max CVSS
9.3
EPSS Score
96.93%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Title Element Change Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.00%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "OnBeforeDeactivate Event Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.00%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access an undefined memory location, aka "insertAdjacentText Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.00%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "insertRow Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.00%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "OnRowsInserted Event Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
91.00%
Published
2012-06-12
Updated
2023-12-07
Microsoft Internet Explorer 6 through 9 does not block cross-domain scrolling events, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Scrolling Events Information Disclosure Vulnerability."
Max CVSS
4.3
EPSS Score
0.85%
Published
2012-06-12
Updated
2023-12-07