CVE-2010-0249

What is Microsoft Internet Explorer?

Internet Explorer was Microsoft's default web browser, bundled with all Windows versions from Windows 95 through Windows 10. In 2010, IE 6 held approximately 20–30% browser market share with IE 7 and IE 8 adding further share — making Internet Explorer the dominant browser and therefore one of the most widely targeted pieces of software for drive-by download and watering hole attacks. IE is now end-of-life (retired June 2022) and has been replaced by Microsoft Edge, but legacy IE installations persist in enterprise environments, particularly on older Windows versions used in industrial and embedded contexts.

Overview

CVE-2010-0249 is a use-after-free vulnerability in Internet Explorer's HTML rendering engine. An attacker who controls a malicious web page can cause IE to access a pointer to an already-freed HTML object, achieving arbitrary code execution in the context of the user viewing the page. The vulnerability became one of the most significant security incidents of 2010 as the exploitation mechanism behind Operation Aurora — a sophisticated Chinese state-sponsored cyberattack campaign against Google, Adobe, Juniper Networks, and approximately 30 other major corporations.

Google's public disclosure of Operation Aurora on January 12, 2010 prompted Microsoft to release Security Advisory 979352 two days later and emergency out-of-band patch MS10-002 on January 21, 2010. CISA added CVE-2010-0249 to KEV in May 2026, 16 years after the patch.

Affected Versions

Note: IE is now fully end-of-life. All affected Windows versions (XP, Vista, Server 2003) are also end-of-life.

Technical Details

CWE-416 (Use After Free). Internet Explorer's HTML rendering engine maintains object references for HTML DOM elements as pages load and JavaScript executes. A flaw in how IE handles certain HTML elements causes a CSS stylesheet or DOM object to be freed while a dangling reference to it still exists. When subsequent JavaScript execution or DOM operations access the freed pointer, IE dereferences invalid memory.

By using a heap spray technique — allocating large amounts of JavaScript strings or arrays to populate the heap with attacker-controlled data at predictable addresses — an attacker can ensure that the freed memory region contains a controlled value before the dangling pointer is accessed. On IE 6 (the primary Aurora target), the lack of ASLR and DEP made reliable exploitation straightforward.

The Operation Aurora exploit was delivered as a JavaScript exploit embedded in malicious web pages, exploiting IE 6 on Windows XP — then widespread in corporate environments — with high reliability.

Discovery

The vulnerability was discovered during incident response investigation of Operation Aurora. The Elderwood Group (also known as "Comment Crew" or APT1-related actors), a sophisticated Chinese state-sponsored threat actor, had been exploiting CVE-2010-0249 as a zero-day before Google's January 2010 disclosure. The public disclosure by Google was notable because major corporations rarely disclosed cyberattack details publicly at the time — Google's transparency set a precedent and brought significant attention to nation-state cyberespionage against the private sector.

Exploitation Context

Operation Aurora was a sophisticated, multi-stage cyberattack campaign attributed to a Chinese state-sponsored group. Targets included Google, Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical — primarily companies involved in defense contracting, technology, and financial services. The goals included intellectual property theft (source code, trade secrets) and compromise of Gmail accounts belonging to human rights activists.

The attack chain: spear-phishing email or instant message containing a link → victim opens IE → malicious JavaScript triggers CVE-2010-0249 → shellcode executed → second-stage malware installed (Hydraq / Aurora RAT) → long-term network access established.

Google's disclosure prompted Microsoft to issue Security Advisory 979352, and the German government recommended temporarily switching from Internet Explorer to alternative browsers while the patch was prepared. MS10-002 was released eight days ahead of the February 2010 Patch Tuesday cycle, reflecting the severity of active exploitation.

CISA's May 2026 KEV addition indicates that legacy IE installations on unpatched legacy Windows systems continue to be actively exploited.

Remediation

1. Internet Explorer is end-of-life — retire it immediately on any system where it is still the primary browser. Microsoft Edge or any modern browser should be used instead.
2. Apply MS10-002 — the patch has been available since January 2010. Any Windows system with post-2010 updates already has this fix.
3. For Windows XP / Vista / Server 2003 systems where IE cannot be updated: isolate these systems from the internet and restrict outbound web browsing completely.
4. Prioritize decommissioning legacy Windows versions — Windows XP and Vista are permanently unpatched against many subsequent vulnerabilities, and any system running them should be considered compromised-by-default if internet-accessible.
5. Block IE execution via application control (AppLocker / Windows Defender Application Control) on systems where it is not needed.