CVE-2014-2817
Published: 12 August 2014
Summary
CVE-2014-2817 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Internet Explorer versions 6 through 11 are affected by CVE-2014-2817, an elevation of privilege vulnerability that can be triggered when a user visits a specially crafted website. The flaw is tracked under the alias "Internet Explorer Elevation of Privilege Vulnerability" and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and no required privileges.
Remote attackers can exploit the issue by serving malicious content that executes in the context of the current user, resulting in full compromise of confidentiality, integrity, and availability on the affected system. Successful exploitation requires user interaction such as clicking a link or viewing a page in Internet Explorer.
Microsoft security bulletin MS14-051 addresses the vulnerability and supplies the corresponding security updates for supported versions of Internet Explorer. The bulletin is referenced alongside related advisories on SecurityFocus and SecurityTracker for additional patch and workaround guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-2844
Vulnerability details
Microsoft Internet Explorer 6 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability."
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the MS14-051 security update that eliminates the EoP flaw in IE 6-11.
Establishes usage restrictions and control of mobile code (scripts, active content) delivered by crafted websites that trigger the vulnerability.
Limits privileges available to the IE process, reducing the impact of successful exploitation to the current user context.