CVE-2014-1815
published 2014-05-14CVE-2014-1815: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.26%
97.1th percentile
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as exploited in the wild in May 2014, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0310.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u1414%u1414
- →CVE-2014-1815 is a use-after-free vulnerability in Internet Explorer 6–11 exploited in the wild in May 2014; exploit involves freeing a CAnchorElement (MSHTML!CAnchorElement) and reusing the freed memory via JavaScript heap spray. ↗
- →Exploit PoC uses a cookie-check anti-reinfection mechanism; presence of cookie value 'd93kaj3Nja3' in HTTP traffic or browser cookies is an indicator of exploit delivery page. ↗
- →Heap spray pattern 0x14141414 (encoded as %u1414%u1414) repeated in memory is a strong in-memory indicator of this exploit's shellcode/ROP setup. ↗
- →Exploit delivery page uses ShockwaveFlash.ShockwaveFlash ActiveXObject instantiation as a Flash version check prior to exploitation; monitor for this pattern combined with the cookie check in the same script. ↗
- ·The exploit was delivered as MS14-029 (May 2014 Patch Tuesday); affected versions are Internet Explorer 6 through 11. Patching MS14-029 remediates the vulnerability. ↗
- ·Microsoft's isolated heap (_g_hIsolatedHeap) and deferred-free (ProtectedFree with 0x186A0 threshold) mitigations were introduced after this CVE was exploited; the PoC explicitly demonstrates bypassing ProtectedFree, so these mitigations alone are insufficient against a determined attacker. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m3vf-g64w-7wxq: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-0310 [CRITICAL] CWE-119 GHSA-m3vf-g64w-7wxq: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1815.
GHSA
GHSA-9c4m-mcm2-9ghx: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2014-1815 [CRITICAL] CWE-119 GHSA-9c4m-mcm2-9ghx: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as exploited in the wild in May 2014, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0310.
VulnCheck
Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2014·CVSS 9.3
CVE-2014-1815 [CRITICAL] Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as exploited in the wild in May 2014, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0310.
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-029; https://www.cve.org/CVERecord?id=CVE-2014-1815
No detection rules found.
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
CVE-2014-1815 [HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms in the most recent Internet Explorer patches. In June, Microsoft introduced a new isolated heap mechanism to solve the usage issue of use-after-free exploitation. They followed that up In July by implementing a deferred fre
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
[HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
## Is It the Beginning of the End For Use-After-Free Exploitation?
Tao Yan
Bo Qu
Royce Lu
Published: July 16, 2014
Malware
Threat Research
Deferred free
Internet Explorer
Isolated heap
Microsoft
Use after free
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms
Talos
Microsoft Update Tuesday May 2014: relatively light month
blogs_talos·2014-05-13·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday May 2014: relatively light month
## Microsoft Update Tuesday May 2014: relatively light month
It’s time for another Microsoft Update Tuesday , the first one which will not feature any XP updates (except of course for the out-of-band patch ( MS14-021 ) which was released to deal with the IE 0-day which is officially part of this release, but which we won't be discussing here, more on that can be found here and here ). It’s a pretty straightforward month this time around, with eight bulletins covering 13 CVEs.
The numbering is a little off this month, usually the critical bulletins came first, but it seems that Microsoft hasn't done that this time around. We’ll list the critical bulletins first, followed by the important ones.
There’s two critical bulletins and six important bulletins this month:
The first critical bull
Talos
Microsoft Update Tuesday May 2014: relatively light month
blogs_talos·2014-05-13·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday May 2014: relatively light month
It’s time for another Microsoft Update Tuesday, the first one which will not feature any XP updates (except of course for the out-of-band patch (MS14-021) which was released to deal with the IE 0-day which is officially part of this release, but which we won't be discussing here, more on that can be found here and here). It’s a pretty straightforward month this time around, with eight bulletins covering 13 CVEs.
The numbering is a little off this month, usually the critical bulletins came first, but it seems that Microsoft hasn't done that this time around. We’ll list the critical bulletins first, followed by the important ones.
There’s two critical bulletins and six important bulletins this month:
The first critical bulletin is MS14-022 and covers three CVEs in Sharepoint. Two of them
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-13-2014
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 05-13-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2014-05-14
Published
Exploited in the wild