| Name | ie_setuserclip |
| CVE | CVE-2010-3962 |
| Exploit Pack | CANVAS |
| Description | ie_setuserclip |
| Notes | Date public: 11/04/2010 Notes: This bug was discovered in the wild. IE6, 7 and 8 are vulnerable to this bug, but because of its behaviour some versions will not be exploitable. The only full patched IE that i found vulnerable was IE6, but diserves more research on other ways to trigger it. The behaviour of this bug is: object[0] |= 0x1 So this way we OR the vtable and as it is aligned, it has the effect of vtable = vtable+1. Then when we call any function of the vtable it is defaced by one, so we just call different regions of memory depending on the version of mshtml. VersionsAffected: IE 6, 7, 8 VENDOR: Microsoft CVE Name: CVE-2010-3962 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |