cbcvebase.
CVE-2017-0202
published 2017-04-12

CVE-2017-0202: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way…

PriorityP266high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
45.65%
98.6th percentile
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user, a.k.a. "Internet Explorer Memory Corruption Vulnerability."

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_x64-based_systems
msrcinternet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1
msrcinternet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_11_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

processMSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
bytes
8bb824010000
  • Crash/memory corruption occurs in MSHTML!CStyleSheetArray::BuildListOfMatchedRules when document.head.innerHTML is overwritten while a CSS transition-duration is active and fgColor/setAttribute are manipulated — monitor for IE renderer crashes at this symbol offset.
  • The exploit PoC triggers the vulnerability via a combination of CSS transition-duration, document.fgColor assignment, element.setAttribute, and document.head.innerHTML reassignment — detect pages combining these JS/CSS patterns in IE.
  • CSS property 'transition-duration: 61s' is used in the PoC to set up the vulnerable state — anomalously large or unusual transition-duration values in pages targeting IE may indicate exploitation attempts.
  • The call stack shows the crash originates in the IE render thread via CRenderThread::RenderThread — look for abnormal IE render thread crashes involving CStyleSheetArray and CElement::ApplyStyleSheets in crash telemetry.
  • Affected version is Internet Explorer 11.576.14393.0 — flag unpatched IE11 instances at this version for prioritized patching and network-level monitoring.
  • ·Exploit status from Microsoft indicates 'Exploitation More Likely' for both latest and older software releases, but as of advisory publication it was not yet observed as exploited in the wild.
  • ·The vulnerability requires user interaction — an attacker must convince the user to visit a crafted page or open a malicious attachment; drive-by exploitation without user action is not possible.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.