cbcvebase.
CVE-2015-2444
published 2015-08-14

CVE-2015-2444: Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.56%
98.2th percentile
Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," a different vulnerability than CVE-2015-2442.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

registryHKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE
commandform{-ms-behavior: url("c");}
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, cve CVE_2015_2444, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:established,to_client; file.data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:5; metadata:created_at 2015_08_25, cve CVE_2015_2444, confidence Low, signature_severity Major, updated_at 2024_03_14;)
bytes
|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|
  • The exploit triggers a use-after-free in MSHTML!CTreeNode::GetCascadedLang via a crafted HTML page combining <label>, <fieldset>, <button>, <form>, <meter>, and <optgroup> elements with a CSS -ms-behavior:url() rule; network detection should look for co-occurrence of these HTML elements alongside the -ms-behavior CSS property.
  • The exploit page sets an x-ua-compatible meta tag forcing IE=10 compatibility mode; detection rules should check for this header/meta tag in conjunction with exploit HTML structure.
  • The UAF crash occurs at MSHTML!CTreeNode::GetCascadedLang+0x65 when accessing freed CLabelElement memory; endpoint/crash telemetry referencing this symbol and offset is a strong indicator of exploitation.
  • The freed object is a CLabelElement; heap analysis showing MSHTML!CLabelElement::ProtectedFree followed by access in CTreeNode::GetCascadedLang confirms exploitation of this CVE.
  • CVE-2015-2444 was integrated into the Sundown Exploit Kit and used to target Japanese banking customers; detections should correlate with Sundown EK traffic patterns and banking-trojan payloads.
  • ·The FEATURE_MEMPROTECT_MODE registry key controls IE's MemoryProtect mitigation; if this key is set to 0x0 for iexplore.exe, the UAF is directly exploitable without heap-spray complications — defenders should verify this key is not disabled.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.