• Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 1 and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems

• Internet Explorer 6
• Internet Explorer 7
• Internet Explorer 8

This is a remote code execution vulnerability which is caused when Internet Explorer attempts to access incorrectly initialized memory under certain conditions.

During the instantiation of multiple ActiveX Controls, a particular object is created along with multiple references that point to the object. The object can be destroyed and its associated references removed. However, a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

Workarounds

• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is an information disclosure vulnerability which is caused due to improper handling of cached data by Internet Explorer.

When processing and rendering cached data as HTML, Internet Explorer may improperly determine the origin of the data, allowing cached content to violate cross-domain security and access information in other security zones.

An attacker who successfully exploited this vulnerability could view content from the local computer or a browser window in a domain or Internet Explorer zone other than the domain or zone of the attackers Web page. This vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur.

Workarounds

• Read e-mails in plain text
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is a remote code execution vulnerability which is caused due to improper processing of malformed HTML content.

When Internet Explorer attempts to access incorrectly initialized memory under certain conditions, it may corrupt memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

Workarounds

• Disable LMClassFactory
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is a remote code execution vulnerability which is caused due to improper memory operations performed by the Internet Explorer while handling the select tag.

An attacker could exploit this vulnerability by convincing a targeted user to open a crafted web page that has a particular element in the select tag. The processing of the web page could cause the vulnerable application to unexpectedly free the contents of the select tag. Later, accessing of the memory object could trigger a memory corruption which can be exploited to execute arbitrary code.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

Workarounds

• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is a remote code execution vulnerability which is caused due to a memory corruption error in the Internet Explorer when handling a particular tag in the Timed Interactive Multimedia Extensions component.

The specific flaw exists within usage of a particular element thats part of the Timed Interactive Multimedia Extensions component of the browser. By removing an element referenced by a tag used for implementing an animation, the application can be made to access an element that has been previously freed. Successful exploitation can lead to code execution under the context of the application.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

Workarounds

• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
• Modify the Access Control List (ACL) on mstime.dll

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is an information disclosure vulnerability which is caused due to improper determination of the origin of scripts running in Internet Explorer. Malformed scripts could bypass cross-origin boundaries and access information from other security zones.

An attacker who successfully exploited this vulnerability could view content from the local computer or a browser window in a domain or Internet Explorer zone other than the domain or zone of the attackers Web page. This vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur.

Workarounds

• Read e-mails in plain text
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090

This is a remote code execution vulnerability which is caused When Internet Explorer attempts to access an object that has not been initialized or has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

The "CLayout::EnsureDispNode" method is called to recalculate the location of various HTML elements within the page. This function passes a "CDispNodeInfo" object to another function, "CLayout::GetDispNodeInfo," which is supposed to initialize the object passed in; however, the function fails to properly initialize a flags value that is used later to determine how many "extra" bytes to allocate for a heap buffer. This eventually leads to an undersized buffer being allocated to hold a "CDispClipNode" object in the "CLayout::EnsureDispNodeCore" function. The vulnerability manifests itself when the "CDispNode::SetUserClip" function attempts to use the invalid "extra size" to calculate an offset into the object and manipulate a bit at this location. This corrupts the objects VTABLE by setting the second bit to 1, which can lead to the execution of arbitrary code when this pointer is accessed later.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

Workarounds

• Read e-mails in plain text
• Override the Web site CSS with a user-defined style sheet
• Enable Data Execution Prevention (DEP) for Internet Explorer 7

Note: For detailed steps of these workarounds refer to Microsoft Security Bulletin MS10-090