Search
On this page ▾
CVE-2014-4123 — Microsoft Internet Explorer Privilege Escalation Vulnerability

CVE-2014-4123

Internet Explorer — Zone/Sandbox Privilege Escalation via Crafted Web Site; Sandbox Escape Component in Exploit Chains; Patched MS14-056
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Internet Explorer's Zone Security Model?

Internet Explorer implements a zone-based security model that assigns content to security zones (Internet, Local Intranet, Trusted Sites, Restricted Sites) with different privilege levels. Combined with Protected Mode (low-integrity process sandbox), IE's security architecture is designed to prevent web content from accessing OS resources or escalating privileges. Privilege escalation vulnerabilities — which allow content from a restricted zone or a low-integrity process to gain capabilities of a higher zone or integrity level — are sandbox escapes that break this security model.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-4123 is a privilege escalation vulnerability in Internet Explorer that allows a remote attacker, via a crafted web site, to gain elevated privileges beyond those of the normal IE sandbox. Like CVE-2014-2817 (MS14-051, August 2014), this vulnerability functions as the second-stage component in a browser exploit chain — following an initial remote code execution vulnerability that gives code execution inside IE's Protected Mode. Patched in MS14-056 (October 14, 2014).

Affected Versions

Internet Explorer Status
IE 6 through 11 Vulnerable

Fixed in MS14-056 (October 2014 cumulative IE update).

Technical Details

Root Cause: Improper Zone/Integrity Enforcement

CVE-2014-4123 involves a flaw in how IE enforces security boundaries between zones or integrity levels. The vulnerability allows content operating under IE's restricted security context (Protected Mode or Internet Zone) to trigger a code path that bypasses the integrity check, performing actions at a higher privilege level.

The exploitation typically occurs as part of a two-stage chain:

  1. RCE exploit: An IE memory corruption vulnerability achieves code execution inside the low-integrity Protected Mode process
  2. CVE-2014-4123: The compromised sandbox process triggers the zone elevation bug to escape from Protected Mode, gaining medium-integrity (user-level) code execution

This pattern mirrors other IE sandbox escapes (CVE-2014-2817, CVE-2014-0546) and represents the standard approach to complete browser-based exploitation: remote code execution → sandbox escape → full user-level access.

Attack Characteristics

Attribute Detail
Attack Vector Network — requires visiting a crafted web page
Role in Attack Chain Second-stage sandbox escape
Combined with IE RCE vulnerabilities for full-chain browser compromise
Patch Bulletin MS14-056 (October 2014)

Discovery

Reported to Microsoft and included in the October 2014 cumulative Internet Explorer security update (MS14-056), which addressed multiple memory corruption and privilege escalation vulnerabilities.

Exploitation Context

  • Exploit chain component: Used in conjunction with IE RCE vulnerabilities by APT groups and exploit kit operators to achieve full OS-level compromise via browser
  • Exploit kit integration: October 2014 IE vulnerabilities were rapidly integrated into commercial exploit kits (Angler, Nuclear) for mass criminal exploitation
  • CISA KEV (2022): Added May 2022, reflecting continued exploitation of the full IE vulnerability class against unpatched legacy deployments

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS14-056 (October 2014 cumulative IE update).

  2. Retire Internet Explorer — Microsoft ended support June 15, 2022. No further patches exist for any IE vulnerability. Migrate to Microsoft Edge (Chromium) or another supported browser.

  3. Enable Enhanced Protected Mode (EPM) for IE 10/11 to strengthen the sandbox against these elevation attacks.

  4. Block IE execution via AppLocker or Windows Defender Application Control if migration cannot be completed immediately.

Key Details

PropertyValue
CVE ID CVE-2014-4123
Vendor / Product Microsoft — Internet Explorer
NVD Published2014-10-15
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-264 — Permissions, Privileges, and Access Controls find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2014-10-14Microsoft Security Bulletin MS14-056 released; CVE-2014-4123 patched
2014-10-15CVE-2014-4123 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-4123 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS14-056 — Cumulative Security Update for Internet Explorer Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML