Published: 22/05/2014 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 935
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote malicious users to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.

Affected Products

Vendor Product Versions
MicrosoftInternet Explorer6, 7, 8, 9, 10, 11


<!-- Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace) Product: Internet Explorer Vulnerable version: 9,10 Date: 8072014 Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (itdefensorru/) Vendor Homepage: wwwmicrosoftcom/ Tested on: Wind ...

Recent Articles

Microsoft Updates June 2014 – Almost 60 IE and GDI+/TrueType RCE
Securelist • Kurt Baumgartner • 10 Jun 2014

Microsoft fixes a smaller set of software product code this month for “Critical” vulnerabilities, and a handful for “Important” fixes with MS014-030 through MS014-036. But whoa, almost 60 remote code execution flaws exist in the six versions of Internet Explorer and the Microsoft components that render fonts on your system! Not only is that a very long list of memory corruption issues, but one of the IE bug reports, credited to Peter Van Eeckhoutte, is over 180 days old. The fix and te...