Search
On this page ▾
CVE-2014-6332 — Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability

CVE-2014-6332

Windows OleAut32 — 'God Mode': VBScript SafeArray Memory Corruption in IE Enables Drive-By RCE Bypassing ASLR and DEP
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is OLE Automation?

OLE Automation (implemented in OleAut32.dll) is a Windows technology that allows applications to expose their objects and functionality for programmatic access from scripting environments — most notably VBScript and JavaScript in Internet Explorer. The SAFEARRAY is a fundamental OLE Automation data type used to pass arrays of data between scripting engines and COM objects. A memory corruption bug in SAFEARRAY handling that is reachable from browser scripting represents a powerful remote code execution primitive — triggering it is as simple as a victim visiting a web page.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-6332 is a memory corruption vulnerability in OleAut32.dll's SAFEARRAY handling, exploitable from Internet Explorer via VBScript. Nicknamed "God Mode" by some researchers, the vulnerability was notable for a highly reliable exploit technique discovered alongside it — a VBScript-based method that bypassed both ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) without requiring any information leak or ROP chain, using only VBScript. This reliability made it a prize acquisition for exploit kit operators: Angler and Nuclear exploit kits incorporated it rapidly after disclosure. Patched in MS14-064 (November 11, 2014).

Affected Versions

Windows Status
Windows Vista through Windows 8.1 Vulnerable
Windows Server 2003 through 2012 R2 Vulnerable
Internet Explorer All versions on affected Windows

Fixed in MS14-064.

Technical Details

Root Cause: SAFEARRAY Bounds Corruption

OleAut32.dll manages SAFEARRAY objects — COM arrays with bounds metadata — used extensively by VBScript and other scripting engines. The vulnerability involves improper handling of a SAFEARRAY in a specific code path when the array is resized or manipulated through COM interfaces. The memory corruption allows an attacker to:

  1. Create a SAFEARRAY with controlled bounds metadata
  2. Use VBScript's COM object interaction to trigger the corruption
  3. Access out-of-bounds memory via the corrupted array, gaining an arbitrary read/write primitive

The "VBScript God Mode" ASLR/DEP Bypass

What made CVE-2014-6332 particularly powerful was a bypass technique discovered by Robert Freeman (IBM X-Force) that used the arbitrary read/write primitive to:

  • Locate the VBScript engine's function table in memory (bypassing ASLR without a dedicated info leak)
  • Overwrite a VBScript function pointer with attacker-controlled values (bypassing DEP by writing to data structures rather than marking pages executable)
  • Execute arbitrary code directly from VBScript without shellcode

This technique could be implemented in ~50 lines of VBScript, making it highly portable and reliable across IE versions. Proof-of-concept exploit code circulated rapidly after the public disclosure.

Exploit Kit Integration

Within days to weeks of MS14-064 being published, major exploit kits had added CVE-2014-6332 modules:

  • Angler Exploit Kit: One of the most sophisticated EKs of the era, quickly adopted the reliable VBScript-based exploit
  • Nuclear Exploit Kit: Similarly incorporated within weeks
  • Magnitude Exploit Kit: Also added support

Exploit kit adoption means the vulnerability transitioned from targeted use to mass criminal exploitation via malvertising and compromised websites.

Attack Characteristics

Attribute Detail
Attack Vector Network — drive-by from malicious/compromised web page
Browser Internet Explorer (via VBScript)
ASLR Bypass Yes — without information leak
DEP Bypass Yes — via VBScript technique
Reliability High — "God Mode" technique worked across IE versions
Exploit Kits Angler, Nuclear, Magnitude

Discovery

Discovered and reported to Microsoft by Robert Freeman of IBM X-Force on November 6, 2014. IBM published technical details alongside the patch release.

Exploitation Context

  • Exploit kit campaigns: After rapid integration into Angler and Nuclear, CVE-2014-6332 was used in mass malvertising campaigns delivering ransomware, banking trojans, and backdoors to IE users on unpatched Windows
  • Reliable ASLR/DEP bypass: The "God Mode" technique's reliability without requiring additional information leaks made it more dependable than many contemporaneous exploits, increasing its adoption
  • Long exploitation lifetime: Exploit kits continued using this vulnerability until IE's user share dropped significantly, and unpatched systems remained targets
  • CISA KEV (2022): Added March 2022 — confirming continued use against legacy Internet Explorer and Windows deployments

Remediation

CISA BOD 22-01 Deadline: April 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS14-064 (November 2014) — patches both CVE-2014-6332 and CVE-2014-6352 (the related OLE code injection vulnerability).

  2. Retire Internet Explorer. Microsoft ended IE support June 15, 2022. Any active use of IE exposes users to unfixed vulnerabilities including this class of OLE Automation bugs.

  3. Disable VBScript in IE (if IE must be used): VBScript can be disabled in Internet Options → Security → Custom Level → Scripting → Active scripting → Disable. Note this breaks many legacy intranet apps.

  4. Enable Enhanced Protected Mode (EPM) in IE 10/11 to limit the damage that exploit code can do even if exploitation succeeds.

  5. Network-level protection: Web proxy/firewall rules to block access to known malvertising and exploit kit domains. Anti-exploit tooling (Malwarebytes Anti-Exploit, EMET) provides additional runtime protection.

Key Details

PropertyValue
CVE ID CVE-2014-6332
Vendor / Product Microsoft — Windows
NVD Published2014-11-11
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. Apply updates per vendor instructions.

Timeline

DateEvent
2014-11-06Robert Freeman of IBM X-Force reports the vulnerability to Microsoft
2014-11-11Microsoft Security Bulletin MS14-064 released; CVE-2014-6332 patched
2014-11-11CVE-2014-6332 published by NVD; IBM X-Force blog published
2014-12-01Exploit incorporated into major exploit kits (Angler, Nuclear) rapidly after public disclosure
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-6332 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS14-064 — Vulnerabilities in Windows OLE Could Allow Remote Code Execution Vendor Advisory
Malwarebytes: Exploiting CVE-2014-6332 — The Windows 'God Mode' Vulnerability Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML