Internet Explorer CMarkup Object Handling Use-after-free Vulnerability

Added: 04/17/2014
CVE: CVE-2014-0322
BID: 65551
OSVDB: 103354


Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.


Microsoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the CMarkup component of the MSHTML library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system.

This exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code.


Apply updates as specified in Microsoft Security Bulletin MS14-012.



The user must open the exploit page in MS IE 9 or 10.

Exploit was tested using Adobe Flash Player and



Back to exploit index