Allegedly, Chinese hackers combined it with a remote-code execution vulnerability in Adobe Flash to infect visitors to the Forbes website with malware since November, 2014.
Vulnerable component: Microsoft Internet Explorer
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Known APT campaigns:
US Defense and Financial Services firms breach
The attack reffers to a Chinese actor group Codoso (according to iSIGHT Partners), Sunshop Group (according to FireEye).
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.