Zero-day vulnerability in Microsoft Internet Explorer

According to experts from M86, this vulnerability was exploited in targeted attacks before the official patch release from Microsoft.

Advisory: SB2011061403 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2011-1255

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error related to time element when Internet Explorer attempts to access objects that have not been correctly initialized or have been deleted. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: According to experts from M86, the vulnerability was exploited in targeted attacks before the official patch release from Microsoft.

- Microsoft Internet Explorer - Time Element Memory Corruption (MS11-050) [Exploit-DB]

External links:

http://news.softpedia.com/news/Recently-Patched-IE-Flaw-Exploited-as-Zero-Day-208646.shtml
http://digcert.com/docs/symantec/symantec_report_2012.htm
http://securityaffairs.co/wordpress/44749/cyber-crime/operation-dust-storm.html
https://technet.microsoft.com/en-us/library/security/ms11-050.aspx