CVE-2011-1345

Current Description

Microsoft Internet Explorer 6, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, as demonstrated by Stephen Fewer as the first of three chained vulnerabilities during a Pwn2Own competition at CanSecWest 2011, aka "Object Management Memory Corruption Vulnerability."

Basic Data

PublishedMarch 10, 2011
Last ModifiedOctober 12, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score9.3
SeverityHIGH
Exploitability Score8.6
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationMicrosoftIe8*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSMicrosoftWindows 7********

Vulnerable Software List

VendorProductVersions
Microsoft Ie 8

References

NameSourceURLTags
http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011MISC
http://twitter.com/aaronportnoy/statuses/45642180118855680http://twitter.com/aaronportnoy/statuses/45642180118855680MISC
http://twitter.com/msftsecresponse/statuses/45646985998516224http://twitter.com/msftsecresponse/statuses/45646985998516224MISC
http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Ownhttp://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2OwnMISC
46821http://www.securityfocus.com/bid/46821BID
1025327http://www.securitytracker.com/id?1025327SECTRACK
TA11-102Ahttp://www.us-cert.gov/cas/techalerts/TA11-102A.htmlCERTUS Government Resource
http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/8367http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/836MISC
MS11-018https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-018MS
ms-ie-unspec-code-exec(66062)https://exchange.xforce.ibmcloud.com/vulnerabilities/66062XF
oval:org.mitre.oval:def:12228https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12228OVAL
https://threatpost.com/en_us/blogs/pwn2own-winner-stephen-fewer-031011https://threatpost.com/en_us/blogs/pwn2own-winner-stephen-fewer-031011MISC