My next class:

Currently Unpatched Windows / Internet Explorer Vulnerabilities

Published: 2011-01-05. Last Updated: 2011-01-08 01:58:58 UTC
by Johannes Ullrich (Version: 2)
2 comment(s)

Update: Microsoft now created its own version of this table:

http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx

------

Thanks to our reader Dan for getting this started. Here is a preliminary table on various Internet Explorer and Windows vulnerabilities that are as of yet unpatched.Let me know if I forgot one. I originally planned to include some of the older issues, but none of them appears to be as relevant/serious as the issues in this list.

CVE Name Release Date Affected Exploit and comments Mitigation
 no CVE Use after free error within "mshtml.dll" Jan 5th 2011 IE 7,8 http://www.vupen.com/english/advisories/2011/0026  
CVE-2010-3970 Graphics Rendering Engine Jan 4th 2011 Windows XP/VIsta (not: 7, 2008 R2) Available

Disable shimgvw.dll

MSFT Advisory #2490606
no CVE WMI ActiveX Control Dec 23rd 2010 IE with WMI ActiveX Control installed
 See this Websense blog for details
 set killbit on affected ActiveX control
CVE-2010-3971 CSS Import Rule Processing Use-After-Free Vulnerability Dec 14th 2010 IE 6,7,8 PoC available. Critical

Enhanced Mitigation Experience Toolkit

MSFT Advisory #2488013

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: internet explorer microsoft msie
2 comment(s)
My next class:

Comments

Vuln. in IIS FTP from just before xmas:
http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx

Dave

Jan 6th 2011
1 decade ago

VUPEN has a whole list of unpatched Windows vulnerabilities:

http://www.vupen.com/english/Unpatched-Microsoft-Vulnerabilities.php

reswob

Jan 6th 2011
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives