Listen to this Post
The vulnerability exists in iepeers.dll, the Peer Objects component of Internet Explorer 6, 6 SP1, and 7. When IE processes certain HTML elements that use peer objects (e.g., behaviors or custom tags), it creates C++ objects in memory. Under specific conditions, an attacker can force the deletion of a peer object (e.g., via JavaScript DOM manipulation) while a pointer to that object remains in use. After the object’s memory is freed, the dangling pointer is later dereferenced without proper validation. This use-after-free allows the attacker to control the freed memory – for example, by allocating attacker-controlled data (like a string or array) into the same memory location via heap spraying. When the browser subsequently calls a virtual function or accesses a member of the freed object, execution flow redirects to the attacker’s shellcode. The exploit typically leverages a crafted HTML page with JavaScript that triggers the race condition. The vulnerability was exploited in the wild in March 2010, leading to remote code execution under the user’s privileges.
dailycve form:
Platform: Internet Explorer
Version: 6,6SP1,7
Vulnerability : Use-after-free
Severity: Critical
date: March 2010
Prediction: 13 April 2010
What Undercode Say:
Analytics:
- Heap spray simulation: `for (var i=0; i<200; i++) { var buf = new Array(0x1000).join(unescape("%u0c0c%u0c0c")); }` - Detect IE version via user-agent: `if (navigator.userAgent.match(/MSIE (6|7)/)) { alert("Vulnerable"); }` - Memory layout check: `alert(window.iepeers_dll_version);` (if exposed)
Exploit:
Craft an HTML page with a peer object (e.g., `` or custom tag). Use JavaScript to delete the object (e.g., element.outerHTML = "";) while another event handler still references it. Trigger garbage collection via CollectGarbage(). Overwrite freed memory with a crafted array of NOP sled and shellcode. Redirect EIP to 0x0c0c0c0c (common heap spray address) leading to calc.exe or remote download.
Protection from this CVE:
- Apply Microsoft Security Bulletin MS10-018.
- Enable DEP (Data Execution Prevention) and ASLR where possible.
- Disable active scripting in Internet Zone or use Enhanced Security Configuration.
- Upgrade to a newer browser (IE8 or later with protections).
- Use EMET (Enhanced Mitigation Experience Toolkit) to block use-after-free patterns.
Impact:
Remote code execution in the context of the logged-in user. An attacker can take complete control of the system: install malware, steal credentials, create admin accounts, or perform further network pivoting. Drive-by download attacks via malicious websites or email links.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

