Microsoft Internet Explorer up to 11 SWF File IsConnectedToPrimaryMarkup code injection

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
7.9$0-$5k0.00

Summaryinfo

A vulnerability classified as very critical was found in Microsoft Internet Explorer up to 11. This affects the function CMarkup::IsConnectedToPrimaryMarkup of the component SWF File Handler. Such manipulation leads to code injection. This vulnerability is documented as CVE-2014-1776. The attack can be executed remotely. Additionally, an exploit exists. This vulnerability is historically impactful due to its background and the reception it garnered. It is suggested to apply the recommended workaround.

Detailsinfo

A vulnerability was found in Microsoft Internet Explorer up to 11 (Web Browser). It has been rated as very critical. Affected by this issue is the function CMarkup::IsConnectedToPrimaryMarkup of the component SWF File Handler. The manipulation with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."

The issue has been introduced in 03/22/2001. The weakness was released 04/26/2014 by Christopher Glyer, Matt Fowler, Josh Homan, Ned Moran, Nart Villeneuve and Yichong Lin with FireEye as New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks as confirmed posting (Website). The advisory is shared for download at fireeye.com. The public release happened without coordination with the vendor. This vulnerability is handled as CVE-2014-1776 since 01/29/2014. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. Technical details as well as a private exploit are known. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 01/10/2025). It is expected to see the exploit prices for this product decreasing in the near future.The MITRE ATT&CK project declares the attack technique as T1059. This vulnerability has a historic impact due to its background and reception. The advisory points out:

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP.

It is declared as attacked. The vulnerability was handled as a non-public zero-day exploit for at least 4783 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 73805 (MS14-021: Security Update for Internet Explorer (2965111)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins. The commercial vulnerability scanner Qualys is able to test this issue with plugin 100191 (Microsoft Internet Explorer Remote Code Execution Vulnerability (MS14-021 and KB2963983)). The advisory illustrates:

The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui.
This issue was added on 01/28/2022 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 07/28/2022:
Apply updates per vendor instructions.

It is possible to mitigate the problem by applying the configuration setting Restricted Mode. A possible mitigation has been published immediately after the disclosure of the vulnerability. The posting contains the following remark:

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.
Truswave SpiderLabs is able to provide a detection: "Samples from the attack recently became available, allowing us to confirm and reassure our customers that Trustwave Secure Web Gateway was able to protect them against this attack provided that it was up-to-date at the time of the attack. The attack is blocked by the policy rule "Block Malicious Content (Malware Entrapment Engine)." Please ensure that you enable this rule in your policy. We also highly recommend installing "Security Update 167" which includes additional protection developed specifically for this vulnerability." Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13902.

The vulnerability is also documented in the databases at X-Force (92731), Zero-Day.cz (104), Tenable (73805), SecurityFocus (BID 67075†) and OSVDB (106311†). cnet.com is providing further details. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

Vendor

Name

Version

License

Support

Website

CPE 2.3info

CPE 2.2info

Video

Youtube: Not available anymore

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 8.0
VulDB Meta Temp Score: 7.9

VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍

NVD Base Score: 9.8
NVD Vector: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Code injection
CWE: CWE-94 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍

Physical: No
Local: No
Remote: Yes

Availability: 🔍
Access: Private
Status: Attacked

EPSS Score: 🔍
EPSS Percentile: 🔍

KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 73805
Nessus Name: MS14-021: Security Update for Internet Explorer (2965111)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

Zero-Day.cz: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Workaround
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍

Config: Restricted Mode
Suricata ID: 2018434
Suricata Class: 🔍
Suricata Message: 🔍

TippingPoint: 🔍

McAfee IPS Version: 🔍

ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍

Timelineinfo

03/22/2001 🔍
01/29/2014 +4696 days 🔍
04/26/2014 +87 days 🔍
04/26/2014 +0 days 🔍
04/26/2014 +0 days 🔍
04/26/2014 +0 days 🔍
04/26/2014 +0 days 🔍
04/27/2014 +1 days 🔍
04/27/2014 +0 days 🔍
04/27/2014 +0 days 🔍
04/27/2014 +0 days 🔍
04/28/2014 +1 days 🔍
05/01/2014 +3 days 🔍
01/10/2025 +3907 days 🔍

Sourcesinfo

Vendor: microsoft.com

Advisory: New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
Researcher: Christopher Glyer, Matt Fowler, Josh Homan, Ned Moran, Nart Villeneuve, Yichong Lin
Organization: FireEye
Status: Confirmed
Confirmation: 🔍

CVE: CVE-2014-1776 (🔍)
GCVE (CVE): GCVE-0-2014-1776
GCVE (VulDB): GCVE-100-13076

OVAL: 🔍

CERT: 🔍
X-Force: 92731 - Microsoft Internet Explorer code execution, High Risk
SecurityFocus: 67075 - Microsoft Internet Explorer CVE-2014-1776 Remote Code Execution Vulnerability
Secunia: 57908 - Microsoft Internet Explorer Use-After-Free Vulnerability, Extremely Critical
OSVDB: 106311
SecurityTracker: 1030154 - Microsoft Internet Explorer Object Access Flaw Lets Remote Users Execute Arbitrary Code
Vulnerability Center: 44250 - [MS14-021] Microsoft Internet Explorer 6-11 Remote Code Execution due to ASLR and DEP Bypass, Critical

scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍

Entryinfo

Created: 04/28/2014 11:02
Updated: 01/10/2025 15:20
Changes: 04/28/2014 11:02 (101), 04/07/2017 12:05 (9), 06/17/2021 18:10 (3), 04/22/2024 16:49 (24), 07/12/2024 04:40 (2), 07/24/2024 20:14 (12), 09/09/2024 22:29 (1), 12/20/2024 04:47 (2), 01/10/2025 15:20 (1)
Complete: 🔍
Cache ID: 216:CE7:103

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!