BUGTRAQ ID: 43706 CVE ID: CVE-2010-3329 Internet Explorer是Windows操作系统中默认捆绑的WEB浏览器。 Windows在实例化Office文档(如.XLS、.DOC)中HtmlDlgHelper类对象(CLASSID: 3050f4e1-98b5-11cf-bb82-00aa00bdce0b)的方式存在内存破坏漏洞。有漏洞的模块是Internet Explorer中的mshtmled.dll,当调用CHtmlDlgHelper类的析构程序之后访问未初始化内存时就会在mshtmled.dll 中触发这个漏洞。以下是出现了漏洞的代码段: mshtmled!ReleaseInterface: 42b919c0 8bff mov edi,edi 42b919c2 55 push ebp 42b919c3 8bec mov ebp,esp 42b919c5 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0013d104=00310065 42b919c8 85c0 test eax,eax 42b919ca 7406 je mshtmled!ReleaseInterface+0x12 (42b919d2) [br=0] 42b919cc 8b08 mov ecx,dword ptr [eax] ds:0023:00310065 42b919ce 50 push eax 42b919cf ff5108 call dword ptr [ecx+8] ds:0023:7d02029c=2a2c277a eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc edi=00000000 eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Stack Trace: <Unloaded_ion.dll>+0x2a2c2779 mshtmled!ReleaseInterface+0x12...
BUGTRAQ ID: 43706 CVE ID: CVE-2010-3329 Internet Explorer是Windows操作系统中默认捆绑的WEB浏览器。 Windows在实例化Office文档(如.XLS、.DOC)中HtmlDlgHelper类对象(CLASSID: 3050f4e1-98b5-11cf-bb82-00aa00bdce0b)的方式存在内存破坏漏洞。有漏洞的模块是Internet Explorer中的mshtmled.dll,当调用CHtmlDlgHelper类的析构程序之后访问未初始化内存时就会在mshtmled.dll 中触发这个漏洞。以下是出现了漏洞的代码段: mshtmled!ReleaseInterface: 42b919c0 8bff mov edi,edi 42b919c2 55 push ebp 42b919c3 8bec mov ebp,esp 42b919c5 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0013d104=00310065 42b919c8 85c0 test eax,eax 42b919ca 7406 je mshtmled!ReleaseInterface+0x12 (42b919d2) [br=0] 42b919cc 8b08 mov ecx,dword ptr [eax] ds:0023:00310065 42b919ce 50 push eax 42b919cf ff5108 call dword ptr [ecx+8] ds:0023:7d02029c=2a2c277a eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc edi=00000000 eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Stack Trace: <Unloaded_ion.dll>+0x2a2c2779 mshtmled!ReleaseInterface+0x12 mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper+0x10 mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::`scalar deleting destructor'+0xd mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::Release+0x27 VBE6!rtcStrConvVar+0xbd65 VBE6!rtcSetDatabaseLcid+0xa823 EXCEL!Ordinal41+0xd2ad0 EXCEL!Ordinal41+0x14082a USER32!CallWindowProcW+0x1b Instruction Address: 0x000000002a2c277a Microsoft Internet Explorer 8.0 Microsoft Internet Explorer 7.0 临时解决方法: * 禁止在Internet Explorer中运行COM对象。 如果要对CLSID值{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}设置kill bit,在文本编辑器(如写字板)中粘贴以下文本然后使用.reg文件名扩展保存文件。 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}] "Compatibility Flags"=dword:00000400 通过双击将这个.reg文件应用到单个系统。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-071)以及相应补丁: MS10-071:Cumulative Security Update for Internet Explorer (2360131) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true
