Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Microsoft Internet Explorer 6-8 is vulnerable to a critical use-after-free vulnerability, allowing remote attackers to achieve arbitrary code execution. This flaw, actively exploited in the wild, enables attackers to compromise systems by tricking users into visiting malicious websites, potentially leading to complete system takeover.
Step 1: Malicious Website Access: The victim is tricked into visiting a malicious website or opening an HTML file containing the exploit code.
Step 2: Object Instantiation and Manipulation: The webpage's JavaScript code creates and manipulates a CDwnBindInfo object (or similar object). This likely involves creating the object, triggering a specific event that releases the object, and then attempting to access it.
Step 3: Object Freeing: The crafted JavaScript code triggers the release of the CDwnBindInfo object, freeing the memory associated with it.
Step 4: Use-After-Free Trigger: The JavaScript code then attempts to access the freed memory region, potentially through a method call or property access on the freed object.
Step 5: Memory Corruption: This access leads to memory corruption, allowing the attacker to overwrite memory with malicious code.
Step 6: Code Execution: The overwritten memory contains malicious code, which is then executed by Internet Explorer, granting the attacker control of the victim's system.
The vulnerability stems from improper memory management within Internet Explorer's handling of objects, specifically the CDwnBindInfo object. The root cause is a use-after-free condition. When a crafted webpage triggers a sequence of events that releases a CDwnBindInfo object, subsequent attempts to access the freed memory region can lead to arbitrary code execution. The attacker crafts a malicious webpage that manipulates the object's lifecycle, causing it to be freed and then accessed. This access allows the attacker to overwrite memory with malicious code, which is then executed by the browser.