10

CVE-2014-1776

Warning
Exploit

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014.  NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."

Data is provided by the National Vulnerability Database (NVD)
MicrosoftInternet Explorer Version6
   MicrosoftWindows Server 2003 Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatform-
   MicrosoftWindows Xp Version- Updatesp3
MicrosoftInternet Explorer Version7
   MicrosoftWindows Server 2003 Version- Updatesp2
   MicrosoftWindows Server 2008 Version- Updatesp2
   MicrosoftWindows Vista Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatform-
   MicrosoftWindows Xp Version- Updatesp3
MicrosoftInternet Explorer Version8
   MicrosoftWindows 7 Version- Updatesp1
   MicrosoftWindows Server 2003 Version- Updatesp2
   MicrosoftWindows Server 2008 Version- Updatesp2
   MicrosoftWindows Server 2008 Versionr2 Updatesp1
   MicrosoftWindows Vista Version- Updatesp2
   MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatform-
   MicrosoftWindows Xp Version- Updatesp3
MicrosoftInternet Explorer Version9
   MicrosoftWindows 7 Version- Updatesp1
   MicrosoftWindows Server 2008 Version- Updatesp2
   MicrosoftWindows Server 2008 Versionr2 Updatesp1
   MicrosoftWindows Vista Version- Updatesp2
MicrosoftInternet Explorer Version10
   MicrosoftWindows 7 Version- Updatesp1
   MicrosoftWindows 8 Version-
   MicrosoftWindows Rt Version-
   MicrosoftWindows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   MicrosoftWindows Server 2012 Version-
MicrosoftInternet Explorer Version11 Update-
   MicrosoftWindows 7 Version- Updatesp1
   MicrosoftWindows 8.1 Version-
   MicrosoftWindows Rt 8.1 Version-
   MicrosoftWindows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   MicrosoftWindows Server 2012 Versionr2

28.01.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Internet Explorer Memory Corruption Vulnerability

Vulnerability

Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 80.06% 0.991
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

http://securitytracker.com/id?1030154
Third Party Advisory
Broken Link
VDB Entry
http://www.kb.cert.org/vuls/id/222929
Third Party Advisory
US Government Resource
Mitigation
http://www.securityfocus.com/bid/67075
Third Party Advisory
Broken Link
VDB Entry