CVE-2015-2444
published 2015-08-14CVE-2015-2444: Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.56%
98.2th percentile
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," a different vulnerability than CVE-2015-2442.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
registryHKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, cve CVE_2015_2444, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:5; metadata:created_at 2015_08_25, cve CVE_2015_2444, confidence Low, signature_severity Major, updated_at 2024_03_14;)
bytes
|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|
- →The exploit triggers a use-after-free in MSHTML!CTreeNode::GetCascadedLang via a crafted HTML page combining <label>, <fieldset>, <button>, <form>, <meter>, and <optgroup> elements with a CSS -ms-behavior:url() rule; network detection should look for co-occurrence of these HTML elements alongside the -ms-behavior CSS property.
- →The exploit page sets an x-ua-compatible meta tag forcing IE=10 compatibility mode; detection rules should check for this header/meta tag in conjunction with exploit HTML structure.
- →The UAF crash occurs at MSHTML!CTreeNode::GetCascadedLang+0x65 when accessing freed CLabelElement memory; endpoint/crash telemetry referencing this symbol and offset is a strong indicator of exploitation. ↗
- →The freed object is a CLabelElement; heap analysis showing MSHTML!CLabelElement::ProtectedFree followed by access in CTreeNode::GetCascadedLang confirms exploitation of this CVE. ↗
- →CVE-2015-2444 was integrated into the Sundown Exploit Kit and used to target Japanese banking customers; detections should correlate with Sundown EK traffic patterns and banking-trojan payloads. ↗
- ·The FEATURE_MEMPROTECT_MODE registry key controls IE's MemoryProtect mitigation; if this key is set to 0x0 for iexplore.exe, the UAF is directly exploitable without heap-spray complications — defenders should verify this key is not disabled. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6m7r-6h93-4pc4: Microsoft Internet Explorer 8 through 11 and Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) vi
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2442 [CRITICAL] CWE-119 GHSA-6m7r-6h93-4pc4: Microsoft Internet Explorer 8 through 11 and Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) vi
Microsoft Internet Explorer 8 through 11 and Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," a different vulnerability than CVE-2015-2444.
GHSA
GHSA-vffr-5c7x-3r2f: Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2015-2444 [CRITICAL] CWE-119 GHSA-vffr-5c7x-3r2f: Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," a different vulnerability than CVE-2015-2442.
Suricata
ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
suricata·2015-08-25·CVSS 9.3
CVE-2015-2444 [CRITICAL] ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:5; metadata:created_at 2015_08_25, cve CVE_2015_2444, confidence Low, signature_severity Major, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
suricata·2015-08-24·CVSS 9.3
CVE-2015-2444 [CRITICAL] ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:6; metadata:affected_product Web_Browsers
Zscaler
Zscaler detects IE & MS Office Vulnerabilities | 09-09-2015
blogs_zscaler·CVSS 5.0
[MEDIUM] Zscaler detects IE & MS Office Vulnerabilities | 09-09-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
2017 Vulnerability Report: A Shift in Cybercriminal Preferences | Recorded Future
blogs_recorded_future·CVSS 7.8
[HIGH] 2017 Vulnerability Report: A Shift in Cybercriminal Preferences | Recorded Future
## New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016
## Key Takeaways
Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit
Zscaler
Zscaler detects IE & MS Office Vulnerabilities | 08-11-2015
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler detects IE & MS Office Vulnerabilities | 08-11-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
2017 Vulnerability Report: A Shift in Cybercriminal Preferences
blogs_recorded_future·CVSS 7.8
[HIGH] 2017 Vulnerability Report: A Shift in Cybercriminal Preferences
# New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016
### Key Takeaways
- Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
- Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
- A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
- Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Ex
http://www.securityfocus.com/bid/76194http://www.securitytracker.com/id/1033237https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-079https://www.exploit-db.com/exploits/37764/http://www.securityfocus.com/bid/76194http://www.securitytracker.com/id/1033237https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-079https://www.exploit-db.com/exploits/37764/
2015-08-14
Published