CVE-2015-1730
published 2015-06-10CVE-2015-1730: Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.39%
97.9th percentile
Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xCCCCCCCC
- →Detect recursive JavaScript stack exhaustion via Function.apply() with extremely large argument arrays (0x2000 / 0x200 elements) in IE9 jscript9.dll — indicative of CVE-2015-1730 exploitation. ↗
- →Detect creation of a URIError object whose 'name' property is set to itself (circular reference) followed by string coercion attempts — the minimal trigger pattern for this vulnerability. ↗
- →Detect heap spray targeting address range around 0x09000000 with repeated DWORD patterns including fake vftable pointer 0x28000201 and shellcode stub at 0x28000300 (int3 sled: 0xCCCCCCCC). ↗
- →Detect use of window.open('about:blank') followed by execScript() cross-window to set up the vulnerable URIError circular reference — a two-window setup is characteristic of this exploit. ↗
- →The vulnerability resides in the JavaScriptStackWalker class in jscript9.dll (Internet Explorer 9); monitor for crashes or AV hits in jscript9.dll during double stack-exhaustion exception sequences. ↗
- ·The exploit is specific to Internet Explorer 9 and the jscript9.dll engine; other IE versions or browsers are not affected by this particular JavaScriptStackWalker pointer reuse bug. ↗
- ·The heap spray and stack spray are probabilistic, not deterministic — the exploit relies on statistical likelihood of controlling the vulnerable pointer's target, so reliability may vary across system configurations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://blog.skylined.nl/20161206001.htmlhttp://packetstormsecurity.com/files/140050/Microsoft-Internet-Explorer-9-jscript9-JavaScriptStackWalker-Memory-Corruption.htmlhttp://www.securitytracker.com/id/1032521https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-056https://www.exploit-db.com/exploits/40881/https://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1099http://blog.skylined.nl/20161206001.htmlhttp://packetstormsecurity.com/files/140050/Microsoft-Internet-Explorer-9-jscript9-JavaScriptStackWalker-Memory-Corruption.htmlhttp://www.securitytracker.com/id/1032521https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-056https://www.exploit-db.com/exploits/40881/https://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1099
2015-06-10
Published