Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Obfuscated Exploits Continue To Target CVE-2010-0806 And CVE-2010-3962

July 14, 2011 - 2 min read


A pair of “use-after-free” aka “uninitialized memory corruption” vulnerabilities (CVE-2010-0806 and CVE-2010-3962) in Internet Explorer were reported in November 2010 and remain among the favored client-side attack vectors currently seen in the wild. Recently during my research, I have noticed a gradual increase in attacks targeting these vulnerabilities. Often these two vulnerabilities are combined into a single exploit, as both the vulnerabilities target Internet Explorer 6 and 7. Combining exploit code will of course increase the probability of a successful attack.


Lets analyze one sample that I came across recently.

Source code






De-obfuscated Code Analysis

De-obfuscation of the above code, shows how the exploitation of the two vulnerabilities is carried out. Lets go through each one of them sequentially.

Both exploits work in following way

  • Initiate a heap spray

  • Exploit causes a use-after-free error

  • Assembly code running at the time of the “use-after-free error” causes the CPU to execute shellcode thanks to the heap spray.

Version check – This is required to initialize the address of the shellcode. The full address is computed when heap spray is carried out.


Shellcode - Common for both the vulnerabilities.


The heap spray is carried out by different functions for the different vulnerabilities.

Exploiting CVE-2010-0806


Exploiting CVE-2010-3962


Other samples that target these vulnerabilities, which I observed during my research varies in terms of the way the Javascript code is obfuscated. However, the overall process remains the same. This again tells us why it’s important to update your browser with latest security patches.

Further research on the domain “dxcdfghg.com” reveals that the IP address bound to this domain has hosted various other malicous domains carrying out alternate attacks.


Hosting multiple malicious domains on one IP address is common practice for attackers.


Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.