Vulnerability Details : CVE-2008-3475
Microsoft Internet Explorer 6 does not properly handle errors related to using the componentFromPoint method on xml objects that have been (1) incorrectly initialized or (2) deleted, which allows remote attackers to execute arbitrary code via a crafted HTML document, aka "Uninitialized Memory Corruption Vulnerability."
Vulnerability category: Memory CorruptionExecute code
Exploit prediction scoring system (EPSS) score for CVE-2008-3475
Probability of exploitation activity in the next 30 days: 96.59%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-3475
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2008-3475
-
Assigned by: nvd@nist.gov (Primary)
-
The product uses or accesses a resource that has not been initialized.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-3475
-
http://www.securityfocus.com/archive/1/497380/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://marc.info/?l=bugtraq&m=122479227205998&w=2
'[security bulletin] HPSBST02379 SSRT080143 rev.1 - Storage Management Appliance (SMA), Microsoft Pat' - MARCMailing List
-
http://www.securityfocus.com/bid/31617
Broken Link;Patch;Third Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45565
Microsoft Windows Knowledge Base Article 956390 update is not installed CVE-2008-3474 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id?1021047
GoDaddy Domain Name SearchBroken Link;Third Party Advisory;VDB Entry
-
http://www.zerodayinitiative.com/advisories/ZDI-08-069/
ZDI-08-069 | Zero Day InitiativeThird Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2008/2809
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link
-
http://www.us-cert.gov/cas/techalerts/TA08-288A.html
Page Not Found | CISABroken Link;Third Party Advisory;US Government Resource
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45563
Microsoft Internet Explorer componentFromPoint() code execution CVE-2008-3475 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.html
Ivan Fratric's Security Blog: Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code executionIssue Tracking;Third Party Advisory
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-058
Microsoft Security Bulletin MS08-058 - Critical | Microsoft LearnPatch;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13151
404 Not FoundBroken Link
Products affected by CVE-2008-3475
- cpe:2.3:a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:6:-:*:*:*:*:*:*When used together with: Microsoft » Windows Xp » Version: N/A Update SP2 Professional Edition For X64
- cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*When used together with: Microsoft » Windows Xp » Version: N/A Update SP2 Professional Edition For X64