HTTP: Microsoft Internet Explorer selection.empty Use After Free (CVE-2011-1261)
A User-After-Free vulnerability exists in Microsoft Internet Explorer. The vulnerability is due to improper handling of the selection.empty script expression. Remote attackers can exploit this vulnerability by enticing target users to open a malicious web page using Internet Explorer, potentially causing arbitrary code to be injected and executed in the security context of the currently logged on user. In an attack scenario where arbitrary code is injected and executed on the target machine, the behaviour of the target is dependent on the logic of the malicious code. If such an attack is not successful, Internet Explorer may terminate abnormally.
Extended Description
Microsoft Internet Explorer is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the affected application. Failed attacks will cause denial-of-service conditions.
Affected Products
Avaya messaging_application_server,Avaya meeting_exchange
Short Name
HTTP:STC:IE:SELECT-EMPTY
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
(CVE-2011-1261) After CVE-2011-1261 Explorer Free Internet Microsoft Use bid:48210 selection.empty
Release Date
06/22/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
9.3