CVE-2014-1776
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."
Analysis
Internet Explorer 6 through 11 contain a use-after-free vulnerability in CMarkup::IsConnectedToPrimaryMarkup that allows remote code execution, exploited as a zero-day in April 2014 with initial attribution to APT groups.
Technical Context
The CWE-416 use-after-free in the CMarkup::IsConnectedToPrimaryMarkup function is triggered when JavaScript manipulates the DOM to free a CMarkup object while IE still holds references to it. The vulnerability initially appeared to involve VGX.DLL (VML rendering) but was ultimately traced to the core HTML rendering engine.
Affected Products
['Microsoft Internet Explorer 6 through 11', 'All supported Windows versions at the time']
Remediation
Migrate to modern browsers. This vulnerability's severity prompted Microsoft to issue a rare patch for end-of-life Windows XP. Apply MS14-021.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today