OLE (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats.

Problem

The **SafeArrayRedim** function in the **OleAut32.dll** library does not properly check sizes of arrays when an error occurs. This allows an attacker to manipulate memory and bypass security protections in Internet Explorer, resulting in arbitrary code execution.

Resolution

Apply the security update referenced in MS14-064.

References

<https://www.us-cert.gov/ncas/alerts/TA14-318B>

Limitations

Exploit works on Windows with Internet Explorer 10 and earlier, and requires a user to load the exploit page in Internet Explorer.

Platforms

Windows

checkpoint_advisories 2

fireeye 14

packetstorm 13

exploitpack 3

seebug 2

securityvulns 2

symantec 1

canvas 1

saint 3

zdt 8

threatpost 6

cisa_kev 1

prion 1

vulnerlab 2

attackerkb 1

cve 1

cert 1

exploitdb 3

metasploit 1

openvas 1

securelist 2

mskb 1

nessus 1

thn 2

myhack58 1

malwarebytes 1

mmpc 1

kaspersky 1

checkpoint_advisories

Microsoft Windows OLE Automation Array Remote Code Execution (MS14-064; CVE-2014-6332)

2014-11-11 00:00:00

Microsoft Windows OLE Obfuscated Automation Array Remote Code Execution (CVE-2014-6332)

2019-02-14 00:00:00

fireeye

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

2017-06-02 13:00:00

GongDa vs. Korean News

2016-03-18 12:30:00

GongDa vs. Korean News

2016-03-18 08:30:00

packetstorm

The World Browser 3.0 Final Remote Code Execution

2015-10-22 00:00:00

Avant Browser Lite / Ultimate Remote Code Execution

2015-10-21 00:00:00

Microsoft Compiled HTML Help Remote Code Execution

2015-10-23 00:00:00

exploitpack

IBM Security AppScan Standard 9.0.2 - OLE Automation Array Remote Code Execution

2015-06-01 00:00:00

Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (1)

2014-11-13 00:00:00

Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (Metasploit)

2014-11-13 00:00:00

seebug

IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution

2015-08-31 00:00:00

IE Godmode remote code execution vulnerability, CVE-2014-6332）

2017-03-06 00:00:00

securityvulns

Microsoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064)

2015-08-24 00:00:00

Microsoft Windows multiple security vulnerabilities

2015-08-24 00:00:00

symantec

Microsoft Windows CVE-2014-6332 OLE Remote Code Execution Vulnerability

2014-11-11 00:00:00

canvas

Immunity Canvas: MS14_064_IE_OLEAUT32

2014-11-11 22:55:00

saint

Windows OLE Automation Array command execution

2014-11-17 00:00:00

Windows OLE Automation Array command execution

2014-11-17 00:00:00

Windows OLE Automation Array command execution

2014-11-17 00:00:00

zdt

Havij - OLE Automation Array Remote Code Execution Exploit

2015-07-01 00:00:00

The World Browser 3.0 Final - Remote Code Execution Exploit

2015-10-22 00:00:00

Internet Explorer OLE Automation Array Remote Code Execution Exploit

2014-11-13 00:00:00

threatpost

EternalBlue Exploit Spreading Gh0st RAT, Nitol

2017-06-02 14:32:11

Malvertising Campaign Redirects Browsers To Terror Exploit Kit

2017-10-25 08:28:31

Angler Exploit Kit, Bedep Malware Inflating Video Views

2015-05-05 08:00:41

cisa_kev

Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability

2022-03-25 00:00:00

prion

Remote code execution

2014-11-11 22:55:00

vulnerlab

MS HTA (HTML Application) - Code Execution (MS14-064)

2015-08-15 00:00:00

MS HTA (HTML Application) - Code Execution (MS14-064)

2015-08-15 00:00:00

attackerkb

CVE-2014-6332

2014-11-11 00:00:00

cve

CVE-2014-6332

2014-11-11 22:55:00

cert

Microsoft Windows Object Linking and Embedding (OLE) OleAut32 library SafeArrayRedim function vulnerable to remote code execution via Internet Explorer

2014-11-13 00:00:00

exploitdb

IBM Security AppScan Standard 9.0.2 - OLE Automation Array Remote Code Execution

2015-06-01 00:00:00

Microsoft Internet Explorer < 11 - OLE Automation Array Remote Code Execution (Metasploit)

2014-11-13 00:00:00

Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (1)

2014-11-13 00:00:00

metasploit

MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution

2014-11-24 07:25:18

openvas

Microsoft Windows OLE Object Handling Code Execution Vulnerabilities (3011443)

2014-11-12 00:00:00

securelist

Delving deep into VBScript

2018-07-03 13:00:13

The King is dead. Long live the King!

2018-05-09 06:00:56

mskb

MS14-064: Vulnerabilities in Windows OLE could allow remote code execution: November 11, 2014

2014-11-11 00:00:00

nessus

MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

2014-11-11 00:00:00

thn

Experts Warn of Browser Extensions Spying On Users via Cloud9 Chrome Botnet Network

2022-11-09 11:01:00

Researchers Share New Insights Into RIG Exploit Kit Malware's Operations

2023-02-27 15:33:00

myhack58

For a suspected CVE-2016-0189 the original attack sample debugging-vulnerability warning-the black bar safety net

2019-06-13 00:00:00

malwarebytes

RIG exploit kit distributes Princess ransomware

2017-08-31 20:04:32

mmpc

Exploit kits remain a cybercrime staple against outdated software – 2016 threat landscape review series

2017-01-23 22:37:34

kaspersky

KLA10601 Multiple vulnerabilities in Microsoft products

2014-11-11 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

Related for SAINT:4973412AEB13D8BC398B274492266AEC