Vulnerabilities > CVE-2015-2502 - Out-of-bounds Write vulnerability in Microsoft Internet Explorer
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," as exploited in the wild in August 2015.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 | |
| OS | 11 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS15-093 |
| bulletin_url | |
| date | 2015-08-18T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 3088903 |
| knowledgebase_url | |
| severity | Critical |
| title | Security Update for Internet Explorer |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS15-093.NASL |
| description | The version of Internet Explorer installed on the remote host is missing Cumulative Security Update 3088903. It is, therefore, affected by a remote code execution vulnerability due to a memory corruption issue caused by improper accessing of objects in memory. An unauthenticated, remote attacker can exploit this issue by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 85540 |
| published | 2015-08-19 |
| reporter | This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/85540 |
| title | MS15-093: Security Update for Internet Explorer (3088903) |
Seebug
| bulletinFamily | exploit |
| description | <p>当 Internet Explorer 不正确地访问内存中的对象时,存在远程执行代码漏洞。此漏洞可能以一种攻击者可以在当前用户的上下文中执行任意代码的方式损坏内存。</p><p>攻击者可能拥有一个旨在通过 Internet Explorer 利用此漏洞的经特殊设计的网站,然后诱使用户查看该网站,则该漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。频繁使用 Internet Explorer 的系统(如工作站或终端服务器)受此漏洞的威胁最大。</p><p>CVE-ID:CVE-2015-2502<br></p><div class="simditor-table">CNNVD-ID: CNNVD-201508-429<br></div><div class="simditor-table">对于受影响的 Windows 客户端上的 Internet Explorer 7 (IE 7)、Internet Explorer 8 (IE 8)、Internet Explorer 9 (IE 9)、Internet Explorer 10 (IE 10) 和 Internet Explorer 11 (IE 11),此安全更新的等级为“严重”;对于受影响的 Windows 服务器上的 Internet Explorer 7 (IE 7)、Internet Explorer 8 (IE 8)、Internet Explorer 9 (IE 9)、Internet Explorer 10 (IE 10) 和 Internet Explorer 11 (IE 11),此安全更新的等级为“中等”。<br></div><div class="simditor-table"><br></div> |
| id | SSV:89289 |
| last seen | 2017-11-19 |
| modified | 2015-09-01 |
| published | 2015-09-01 |
| reporter | 5lyTher1n |
| title | Microsoft Internet Explorer 缓冲区溢出漏洞 ms15-093 |
The Hacker News
| id | THN:8FD72381D4819CB51CBC9FF2617DB392 |
| last seen | 2018-01-27 |
| modified | 2015-08-19 |
| published | 2015-08-18 |
| reporter | Swati Khandelwal |
| source | https://thehackernews.com/2015/08/microsoft-emergency-patch-zero-day-internet-explorer.html |
| title | Microsoft pushes Emergency Patch for Zero-Day Internet Explorer Flaw |
Related news
References
- http://twitter.com/Laughing_Mantis/statuses/633839771865886721
- http://twitter.com/Laughing_Mantis/statuses/633839231840841728
- http://www.securityweek.com/microsoft-issues-emergency-patch-critical-ie-flaw-exploited-wild
- http://www.securityfocus.com/bid/76403
- http://www.securitytracker.com/id/1033317
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-093