Vulnerabilities > CVE-2015-2502 - Out-of-bounds Write vulnerability in Microsoft Internet Explorer

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
microsoft
CWE-787
nessus

Summary

Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," as exploited in the wild in August 2015.

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS15-093
bulletin_url
date2015-08-18T00:00:00
impactRemote Code Execution
knowledgebase_id3088903
knowledgebase_url
severityCritical
titleSecurity Update for Internet Explorer

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-093.NASL
descriptionThe version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3088903. It is, therefore, affected by a remote code execution vulnerability due to a memory corruption issue caused by improper accessing of objects in memory. An unauthenticated, remote attacker can exploit this issue by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.
last seen2020-06-01
modified2020-06-02
plugin id85540
published2015-08-19
reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/85540
titleMS15-093: Security Update for Internet Explorer (3088903)

Seebug

bulletinFamilyexploit
description<p>当 Internet Explorer 不正确地访问内存中的对象时,存在远程执行代码漏洞。此漏洞可能以一种攻击者可以在当前用户的上下文中执行任意代码的方式损坏内存。</p><p>攻击者可能拥有一个旨在通过 Internet Explorer 利用此漏洞的经特殊设计的网站,然后诱使用户查看该网站,则该漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。频繁使用 Internet Explorer 的系统(如工作站或终端服务器)受此漏洞的威胁最大。</p><p>CVE-ID:CVE-2015-2502<br></p><div class="simditor-table">CNNVD-ID: CNNVD-201508-429<br></div><div class="simditor-table">对于受影响的 Windows 客户端上的 Internet Explorer 7 (IE 7)、Internet Explorer 8 (IE 8)、Internet Explorer 9 (IE 9)、Internet Explorer 10 (IE 10) 和 Internet Explorer 11 (IE 11),此安全更新的等级为“严重”;对于受影响的 Windows 服务器上的 Internet Explorer 7 (IE 7)、Internet Explorer 8 (IE 8)、Internet Explorer 9 (IE 9)、Internet Explorer 10 (IE 10) 和 Internet Explorer 11 (IE 11),此安全更新的等级为“中等”。<br></div><div class="simditor-table"><br></div>
idSSV:89289
last seen2017-11-19
modified2015-09-01
published2015-09-01
reporter5lyTher1n
titleMicrosoft Internet Explorer 缓冲区溢出漏洞 ms15-093

The Hacker News

idTHN:8FD72381D4819CB51CBC9FF2617DB392
last seen2018-01-27
modified2015-08-19
published2015-08-18
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2015/08/microsoft-emergency-patch-zero-day-internet-explorer.html
titleMicrosoft pushes Emergency Patch for Zero-Day Internet Explorer Flaw