← back
CVE-2014-1776

CVE-2014-1776

CVSS 9.8 CRITICALEPSS 88.0%● KEVCWE-416
In short

A use-after-free bug in Internet Explorer allows attackers to run malicious code or crash the browser by exploiting how the browser handles certain memory objects. This was actively exploited in real attacks in April 2014.

Technical detail

Use-after-free vulnerability in the CMarkup::IsConnectedToPrimaryMarkup function across IE 6-11 enables remote code execution or denial of service through specially crafted web content. The vulnerability involves memory corruption when the browser attempts to access freed memory; exploitation requires no user privileges beyond visiting a malicious webpage.

Summary generated and translated by AI from the official description.
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspxhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-021http://secunia.com/advisories/57908http://securitytracker.com/id?1030154https://technet.microsoft.com/library/security/2963983https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-1776https://www.vicarius.io/vsociety/posts/cve-2014-1776-use-after-free-vulnerability-in-microsoft-internet-explorer-detection-scripthttps://www.vicarius.io/vsociety/posts/cve-2014-1776-use-after-free-vulnerability-in-microsoft-internet-explorer-mitigation-scriptshttp://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.htmlhttp://www.kb.cert.org/vuls/id/222929http://www.osvdb.org/106311http://www.securityfocus.com/bid/67075