CVE-2014-0307 : Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause

Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a certain sequence of manipulations of a TextRange element, aka "Internet Explorer Memory Corruption Vulnerability."

Published 2014-03-12 05:15:20

Updated 2018-10-12 22:05:51

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionExecute codeDenial of service

Exploit prediction scoring system (EPSS) score for CVE-2014-0307

Probability of exploitation activity in the next 30 days: 97.32%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2014-0307

MS14-012 Microsoft Internet Explorer TextRange Use-After-Free

Disclosure Date: 2014-03-11

First seen: 2020-04-26

exploit/windows/browser/ms14_012_textrange

This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw was most likely introduced in 2013, therefore only certain builds of MSHTML are affected. In our testing with IE9, these vulnerable builds appear to be between 9.0.8112.16496 and

More information

CVSS scores for CVE-2014-0307

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-0307

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)
CWE-416 Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0307

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012

Microsoft Security Bulletin MS14-012 - Critical | Microsoft Docs

CVEs referencing this url
http://www.exploit-db.com/exploits/32438

Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit) - Windows remote Exploit
Exploit

Products affected by CVE-2014-0307

Microsoft » Internet Explorer » Version: 9
cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
Matching versions