CVE-2010-0249: The KEV Deadline for Aurora Is a Census

The bug was the one that defined nation-state disclosure

CVE-2010-0249 is a use-after-free in mshtml.dll, the rendering engine Internet Explorer linked into every page load. The trigger lives in the DOM event-handling path: attacker-controlled script causes an event to fire on an HTML element whose backing object has been freed but whose pointer the renderer is still holding. The freed slot is reused as something the attacker shapes, the event handler dereferences the stale pointer, the attacker's shaped bytes drive execution. CWE-416. The class is one of the most photographed crime scenes in the history of browser memory-safety bugs. Microsoft Security Bulletin MS10-002, dated January 21, 2010, closes the specific path for IE 6 SP1, IE 7, and IE 8 across Windows 2000 SP4 through Windows 7.

The bug's resume is what makes it a KEV entry rather than a database row. In December 2009, the primitive was used by a state-aligned operator against Google's corporate network and the corporate networks of at least twenty other named companies, including Adobe, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, and Morgan Stanley. The objective on Google's side was the source code of password-authentication infrastructure and the Gmail accounts of named Chinese human-rights activists. On January 12, 2010, Google's chief legal officer published the disclosure post that named the breach and announced that Google would stop censoring search results in mainland China. Microsoft Security Advisory 979352 appeared two days later. MS10-002 shipped nine days after that, the first emergency out-of-band Internet Explorer patch in Microsoft's modern release cadence.

Microsoft did not find this bug. Google did, the hard way. The disclosure ran from breach to advisory in the wrong direction. The CVE was post-hoc documentation of a thing that had already happened. Aurora is the founding case of the disclosure-after-exploitation pattern: the same shape Ivanti, FortiManager, BeyondTrust, and CrushFTP would each, in their turn, become exhibits of. Every later case writes itself against this one.

Aurora's footprint is wider than the CVE

Aurora's footprint extends past the CVE number. The phrase "advanced persistent threat" had been a Department of Defense acronym before January 2010; after Google's disclosure post named China as the source of the intrusion in everything but explicit attribution, it became the default newsroom vocabulary. Mandiant's APT1 report three years later, naming a PLA-attributed cluster across multiple campaigns, gave the security industry a structured language for talking about state-aligned operators that did not exist before Aurora forced the conversation into the open. The U.S. government's first explicit public attribution of corporate espionage to named foreign military officers, the 2014 Department of Justice indictment of PLA Unit 61398 officers, is downstream of the discourse Aurora started.

The bug, in isolation, is a use-after-free. The bug, in context, is the event that taught the U.S. national security apparatus to name its adversaries in public.

The product Microsoft published the mitigation for was retired in 2022

Internet Explorer 11, the last shipping IE on Windows 10, was retired on June 15, 2022. Microsoft's guidance from that day forward was that users should migrate to Microsoft Edge. The retirement was not an EOL note buried in a documentation page; it was a coordinated industry milestone with calendar reminders pushed through Windows Update. The MSHTML rendering component lives on inside Edge's IE Mode for the narrow set of enterprises still running legacy intranet apps, but the standalone IE browser surface that Aurora's exploit targeted has been gone from supported Windows configurations for nearly four years.

The KEV catalog's Required Action field for CVE-2010-0249 reads, in full:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

It is the same three-option boilerplate CISA writes against every KEV entry. For most entries the first option does the work: a vendor patch exists, is supported, is applicable, the agency applies it, the deadline is met. For CVE-2010-0249 the first option is the MS10-002 update from January 2010, applied to a product Microsoft has not supported since 2022. The second option is irrelevant; Internet Explorer is not a cloud service. The third option is the operative one. CISA's prose for it is discontinue use of the product if mitigations are unavailable. The shorter version is stop running it.

The candidate description CISA's catalog feeds out to enrichment platforms says the same thing more directly: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. The KEV listing, in 2026, is a fourteen-day notice to Federal Civilian Executive Branch agencies that Internet Explorer is no longer something they are allowed to be running.

A KEV deadline against a retired product is an inventory event

KEV is a directive, not a feed. CISA's Binding Operational Directive 22-01 obligates FCEB agencies to remediate every catalog entry by its listed due date. The due date for CVE-2010-0249 is June 3, 2026, fourteen days after the listing. The agency that has Internet Explorer running on a contract-management workstation in a basement office, on a kiosk in a regional facility, or on a server console nobody touches because the application above it depends on a WebBrowser ActiveX control, has two weeks to file the attestation that it is no longer there.

This is not how KEV is usually used. Most KEV listings name CVEs from the prior year against products the listed agencies are actively running and supporting; the deadline drives a patching cycle, and the cycle closes when the patch reaches the fleet. CVE-2010-0249 has no patching cycle to drive. MS10-002 has been universally available since January 21, 2010. Every system on which it could be applied was patched on federal agency timelines years before IE itself retired. The systems that did not get the patch are the ones nobody looked at. Those systems are not patchable in 2026 because they cannot be inventoried in 2026.

A KEV entry against an EOL product on a fourteen-day clock is therefore an instrument with one purpose. It generates an inventory event. Every federal security officer who reads the catalog on Wednesday afternoon now has a homework assignment by June 3: enumerate the systems on which Internet Explorer is still installed, account for them, and either remove the browser or remove the system from the network. The catalog's job here is not to warn defenders that the Aurora primitive is being exploited again. The catalog's job is to surface the footprint whose continued existence the agency's annual attestation would otherwise quietly elide.

The answers are not trivial. IE binaries shipped with every Windows install image from the last twenty-plus years and were never removed by default until the IE 11 retirement gradually phased the executable out of newer image builds. Group policy templates written for IE in the 2010s still reference its registry keys. Internal applications written against WebBrowser controls, ActiveX components, or MSHTML.dll link tables still expect IE to be present. The footprint a CISO is being asked to deny is not "user is launching the browser." The footprint is a binary still on disk, an ActiveX surface still exposed, a registry hive still configured, an internal app still embedding the renderer. The June 3 attestation is, operationally, a sweep across every Windows fleet for those traces.

This is the regulatory tail of the same disclosure-after-exploitation pattern Aurora itself founded. In 2010 the disclosure was Google's breach revealing the bug. In 2026 the disclosure is CISA's KEV deadline revealing which agencies still have the product the bug lives in. The bug was disclosed sixteen years ago. The disclosure of where it is still running is the 2026 event. Ivanti's end-of-life branch becoming UNC5221's lab is the same shape three layers down: the vendor declared EOL, the customer fleet failed to act, an authority with regulatory leverage eventually said the unpatched footprint had to be named. Aurora's KEV listing is what happens when the regulatory authority reaches the EOL footprint before the next attacker does.

The mitigation that still works is the one the product no longer has

The MS10-002 patch exists on Microsoft's update servers in 2026. It applies cleanly to the IE 8 install media that supported Windows machines were shipping in 2010. The patch is what CISA's first required-action option defers to when it says apply mitigations per vendor instructions. The patch's only problem is that the install media it patches is no longer present on any system Microsoft will admit to supporting.

The CVE record itself was edited on May 20, 2026, the same day CISA added the KEV entry, to update its reference list. The bug's mechanism did not change. The CVSS scores did not change. The technical primitive is the same use-after-free Google was breached through during the week of Christmas 2009. The only field that moved was the one that names the federal deadline.