cbcvebase.
CVE-2017-0070
published 2017-03-17

CVE-2017-0070: A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
78.54%
99.5th percentile
A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoft_corporationbrowser
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://abc.xyz/
  • CVE-2017-0070 PoC triggers a Use-After-Free in Microsoft Edge's JavaScript JIT engine by calling window.__lookupGetter__ on a cross-origin iframe's contentWindow, causing RIP to jump into freed JIT code.
  • Exploit pattern involves creating an iframe, navigating it to 'about:blank', then invoking window.__lookupGetter__("defaultStatus").call(f.contentWindow) to obtain a cross-origin object and chain .constructor.constructor to obtain Function constructor for arbitrary code execution.
  • Exploit targets specifically Microsoft Edge version 38.14393.0.0; detections should flag this version in browser telemetry or crash reports associated with JIT memory corruption.
  • Attack vector is web-based: attacker hosts a specially crafted website or embeds an ActiveX control marked 'safe for initialization' in an Office document hosting the IE rendering engine to trigger the vulnerability.
  • ·At time of advisory publication, the vulnerability had NOT been observed exploited in the wild; exploitation was rated 'More Likely' only for the latest software release.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.