CVE-2010-0806

What is Microsoft Internet Explorer?

Internet Explorer was Microsoft's default web browser bundled with Windows, holding dominant market share through the late 2000s. In early 2010, IE 6 and IE 7 remained widely deployed in enterprise environments — particularly on Windows XP machines that corporations had not yet migrated to Windows 7. IE's deep integration with the Windows operating system (including COM object handling via iepeers.dll for CSS peer behaviors) made it a complex attack surface with recurring use-after-free vulnerabilities. Following Operation Aurora (CVE-2010-0249) in January 2010, CVE-2010-0806 represented another zero-day in IE 6/7 that was actively exploited in the wild just weeks later. IE is now fully end-of-life, retired by Microsoft in June 2022.

Overview

CVE-2010-0806 is a use-after-free vulnerability in iepeers.dll, the Internet Explorer library responsible for handling CSS "peer" behaviors (a legacy IE feature for binding behaviors to HTML elements). When IE processes a web page that deletes a peer-enabled HTML object in a specific sequence, a dangling pointer to the freed object can be accessed by subsequent operations, leading to memory corruption and arbitrary code execution. Microsoft released Security Advisory 981374 on March 9, 2010 confirming active zero-day exploitation, then patched it via emergency out-of-band bulletin MS10-018 on March 30, 2010. CISA added CVE-2010-0806 to KEV in May 2026, 16 years after the patch.

Affected Versions

Note: IE 8 is not vulnerable — the iepeers.dll peer behavior handling that contains the flaw was changed in IE 8. IE is now fully end-of-life and all affected Windows versions (XP, Server 2003) are also end-of-life.

Technical Details

CWE-399 (Resource Management Errors). iepeers.dll implements CSS peer behaviors — a legacy IE feature that allows attaching behaviors to HTML elements via CSS. The library maintains reference-counted objects for peer-enabled elements. A flaw in the reference counting and object lifetime management within CPeerHolder::Release() or related peer object cleanup code causes an object to be freed while a reference to it still exists in the IE rendering engine's internal state.

When subsequent rendering operations or DOM manipulations access the freed peer object pointer, IE reads or executes from the freed memory. An attacker using JavaScript-based heap spraying can reliably place shellcode or a controlled pointer at the expected freed memory address, achieving code execution when the dangling pointer is dereferenced.

The vulnerability specifically affects IE 6 and IE 7 — both heavily used in enterprise environments in 2010 on Windows XP. The lack of ASLR and DEP defaults on Windows XP with these IE versions made exploitation straightforward and reliable. Exploit code for CVE-2010-0806 was incorporated into public exploit kits within days of the advisory.

Discovery

Microsoft released Security Advisory 981374 on March 9, 2010, acknowledging reports of active exploitation of CVE-2010-0806 as a zero-day — meaning it was discovered during incident investigation of active attacks, not through proactive vulnerability research. The rapid integration of working CVE-2010-0806 exploits into crimeware exploit kits (including Eleonora, Phoenix, and others) indicates that reliable exploit code circulated quickly in criminal communities after public awareness of the zero-day.

Exploitation Context

CVE-2010-0806 was exploited in the wild as a zero-day before Microsoft's patch was available. Within days of Security Advisory 981374's publication, working exploits were incorporated into crimeware exploit kits used in drive-by download campaigns. A user visiting a compromised website or clicking a malicious link in IE 6 or IE 7 would trigger the vulnerability silently, with the exploit installing malware in the background.

The timing — just two months after Operation Aurora (CVE-2010-0249) — reflected the high attacker interest in IE zero-days during this period. Security researchers and enterprise security teams were still responding to Aurora when CVE-2010-0806 emerged, creating a compound patching burden.

CISA's May 2026 KEV addition, alongside CVE-2010-0249 and other legacy CVEs added simultaneously, suggests threat actors are actively targeting legacy IE installations on unpatched Windows XP / Server 2003 systems that remain in production in industrial, healthcare, and retail environments.

Remediation

1. Internet Explorer is end-of-life — retire it immediately. Microsoft ended IE support on June 15, 2022. No further security patches will be released.
2. Apply MS10-018 — the patch has been available since March 2010. Any Windows system with post-2010 updates is already patched.
3. For Windows XP / Server 2003 systems still running IE 6/7: isolate from the internet completely — these systems cannot be made safe for web browsing.
4. Block iepeers.dll registration as a temporary workaround (from Security Advisory 981374): regsvr32 /u iepeers.dll — this disables the peer behavior feature but prevents exploitation of CVE-2010-0806.
5. Replace legacy Windows — Windows XP and Server 2003 are permanently unpatched against thousands of known vulnerabilities. Any internet-accessible system running them should be treated as already compromised.