cbcvebase.
CVE-2017-0037
published 2017-02-26

CVE-2017-0037: Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElem…

PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
80.39%
99.6th percentile
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

Affected

23 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_browser
microsoft_corporationinternet_explorer
msrcinternet_explorer_10_on_windows_server_2012
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_11_on_windows_server_2016
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

pathmshtml.dll
commanddocument.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa"; th1.align = "right";
snort
SIDs: 41549-41556, 41561-41598, 41601-41602, 41605-41610, 41633-41634, 41763-41764, 41926-41961, 41964-41998
  • Trigger requires a crafted CSS token sequence combining float+column-count on one class, column-span:all on another, and a TH element whose alignment is changed via JavaScript — look for this DOM/CSS pattern in HTML content.
  • The PoC exploit triggers the crash by setting mediaText to a long 'a' string and then changing th1.align to 'right' — monitor for dynamic CSS mediaText manipulation combined with TH element alignment changes in browser script.
  • Exploit uses an iframe appended to a textarea element with an onreadystatechange handler to trigger the type confusion and achieve an info leak — monitor for iframes dynamically appended to textarea elements with readystatechange event handlers.
  • The exploit leverages ROP gadgets exclusively from PROPSYS.dll to bypass DEP/ASLR — presence of PROPSYS.dll ROP chains (e.g., XCHG EAX,ESP gadget at offset 0x0b473) in heap spray content is a strong indicator of this exploit.
  • CVE-2017-0037 is shared between Internet Explorer and Edge (MS17-007 / MS17-006) and was publicly disclosed before patching — prioritize detection on unpatched IE 10/11 and Edge systems.
  • ·Snort SID ranges listed cover the entire March 2017 Patch Tuesday bulletin set (MS17-006 through MS17-023), not exclusively CVE-2017-0037 — individual SID-to-CVE mapping requires consulting Snort.org or the Talos Management Center.
  • ·The ROP gadget addresses (e.g., base_leaked_addr + 0x0b473 for XCHG EAX,ESP in PROPSYS.dll) are ASLR-relative and will vary per system; the exploit performs an info leak first to compute the base address dynamically.
  • ·The exploit PoC targets 32-bit IE tab processes; the Edge crash path differs slightly ('Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address').

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.