CVE-2014-4123
Published: 15 October 2014
Summary
CVE-2014-4123 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
Microsoft Internet Explorer versions 7 through 11 contain an elevation of privilege vulnerability, tracked as CVE-2014-4123, that is distinct from the related issue CVE-2014-4124. The flaw permits remote attackers to obtain higher privileges when a user visits a specially crafted web site, carrying a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An attacker can exploit the vulnerability by hosting or compromising a malicious web site and luring a victim to visit it; successful exploitation grants the attacker the ability to run arbitrary code with the privileges of the current user. The issue was observed being exploited in the wild during October 2014.
Microsoft addressed the vulnerability in security bulletin MS14-056, with additional details provided in the October 2014 Security Update blog post and vendor advisories such as Secunia 60968.
The vulnerability saw active exploitation shortly after disclosure, underscoring the need for prompt application of the available patches across supported Internet Explorer installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-4054
Vulnerability details
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," as exploited in the wild in October 2014, a different vulnerability than CVE-2014-4124.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the MS14-056 security update that Microsoft released to eliminate the EoP flaw in IE 7-11.
Enforces malicious-code protections (e.g., browser sandboxing, script blocking, URL filtering) that can stop the crafted site from delivering the exploit payload.
Limits the privileges of the IE process and user account, reducing the impact of successful EoP to the current user context.