cbcvebase.
CVE-2017-11793
published 2017-10-13

CVE-2017-11793: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP268high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
48.91%
98.7th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11792, CVE-2017-11796, CVE-2017-11798, CVE-2017-11799, CVE-2017-11800, CVE-2017-11801, CVE-2017-11802, CVE-2017-11804, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11810, CVE-2017-11811, CVE-2017-11812, and CVE-2017-11821.

Affected

24 ranges
VendorProductVersion rangeFixed in
microsoftchakracore< 1.7.31.7.3
microsoftchakracore<= 1.7.2
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10_on_windows_server_2012
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_x64-based_systems
msrcinternet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1
msrcinternet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_11_on_windows_server_2016
msrcinternet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2
msrcinternet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

processjscript!JSONStringifyArray+0x38f
commandJSON.stringify(o1) with toJSON callback invoking CollectGarbage()
  • The vulnerability is a Use-After-Free in jscript!JSONStringifyObject triggered by a toJSON callback that calls CollectGarbage() during JSON.stringify execution, freeing an object still referenced by JSONStringifyArray. Monitor for jscript.dll crash/AV at JSONStringifyArray+0x38f (access violation c0000005).
  • The freed allocation is detected at address range within a DPH_HEAP_BLOCK, freed via jscript!GcAlloc::ReclaimGarbage -> jscript!GcContext::Reclaim -> jscript!GcContext::CollectCore chain. Detection should look for GC invocation inside a toJSON callback during JSON serialization.
  • Palo Alto Networks released IPS signatures for CVE-2017-11793 under their Threat Prevention subscription. Customers should ensure IPS signatures for this CVE are active.
  • ·Affected products are Internet Explorer 9, 10, and 11 only (legacy jscript.dll engine). Microsoft Edge and ChakraCore are NOT affected by this specific CVE.
  • ·The exploit requires a web-based attack scenario where the victim browses to a specially crafted page, or an attacker embeds an ActiveX control marked 'safe for initialization' in an Office document hosting the IE rendering engine.
  • ·Microsoft assessed exploitation as 'More Likely' for both latest and older software releases at time of disclosure, though no in-the-wild exploitation was confirmed.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc3.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.