cbcvebase.
CVE-2014-1815
published 2014-05-14

CVE-2014-1815: Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.26%
97.1th percentile
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, as exploited in the wild in May 2014, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-0310.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

bytes
%u1414%u1414
  • CVE-2014-1815 is a use-after-free vulnerability in Internet Explorer 6–11 exploited in the wild in May 2014; exploit involves freeing a CAnchorElement (MSHTML!CAnchorElement) and reusing the freed memory via JavaScript heap spray.
  • Exploit PoC uses a cookie-check anti-reinfection mechanism; presence of cookie value 'd93kaj3Nja3' in HTTP traffic or browser cookies is an indicator of exploit delivery page.
  • Heap spray pattern 0x14141414 (encoded as %u1414%u1414) repeated in memory is a strong in-memory indicator of this exploit's shellcode/ROP setup.
  • Exploit delivery page uses ShockwaveFlash.ShockwaveFlash ActiveXObject instantiation as a Flash version check prior to exploitation; monitor for this pattern combined with the cookie check in the same script.
  • ·The exploit was delivered as MS14-029 (May 2014 Patch Tuesday); affected versions are Internet Explorer 6 through 11. Patching MS14-029 remediates the vulnerability.
  • ·Microsoft's isolated heap (_g_hIsolatedHeap) and deferred-free (ProtectedFree with 0x186A0 threshold) mitigations were introduced after this CVE was exploited; the PoC explicitly demonstrates bypassing ProtectedFree, so these mitigations alone are insufficient against a determined attacker.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.