Internet Explorer is an HTML web browser which comes by default on Microsoft operating systems.
Microsoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the
CMarkup component of the
MSHTML library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system.
This exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code.
Apply updates as specified in Microsoft Security Bulletin MS14-012.
The user must open the exploit page in MS IE 9 or 10.
Exploit was tested using Adobe Flash Player 22.214.171.124 and 126.96.36.199.