CVE-2014-4141 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<!-- Source: http://blog.skylined.nl/20161101001.html Synopsis A specially crafted webpage can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer. Known affected versions, attack vectors and mitigations Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path. --> <!doctype html> <script> oTextArea = document.createElement('textarea'); oTextArea.dataSrc = 1; oTextArea.id = 1; oTextArea.innerHTML = 1; oTextArea.onvolumechange = 1; oTextArea.style.setProperty('list-style', "url()"); </script> <!-- Analysis The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed. Exploit If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself. Timeline - April 2014: This vulnerability was found through fuzzing. - July 2014: This vulnerability was submitted to ZDI. - July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue. - October 2014: Microsoft release MS14-056, which addresses this issue. - November 2016: Details of this issue are released. -->