CVE-2012-4792
critical-risk
Published 2012-12-30
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Do I need to act?
!
91.4% chance of exploitation in next 30 days
EPSS score — higher than 9% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (3)
Affected Vendors
References (27)
Third Party Advisory
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against...
Third Party Advisory
http://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBind...
Third Party Advisory
http://www.kb.cert.org/vuls/id/154201
Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-008A.html
Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-015A.html
Third Party Advisory
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/wind...
Third Party Advisory
http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against...
Third Party Advisory
http://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBind...
and 7 more references
73
/ 100
critical-risk
Severity
30/34 · Critical
Exploitability
34/34 · Critical
Exposure
9/34 · Low