cbcvebase.
CVE-2017-11855
published 2017-11-15

CVE-2017-11855: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP264high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
47.91%
98.7th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Internet Explorer Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11856.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

commandvar x = new URIError(new Array(), undefined, undefined); String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined)); Array.prototype.slice.call(1);
processjscript!JsArraySlice
  • The vulnerability is triggered via jscript!JsArraySlice when JsArraySlice() expects NameTBL::GetVal() to return an integer but receives an uninitialized/non-integer type, leading to memory corruption. Monitor for crash/AV at jscript!InvokeDispatch+0xbd.
  • Exploit PoC uses a combination of URIError constructed with an Array, String.prototype.localeCompare called on the error object with a Date, and Array.prototype.slice called on a non-array (integer 1) to trigger the uninitialized variable condition in jscript.
  • Affected component is Internet Explorer 9, 10, and 11 via the jscript engine (jscript.dll). Detection should focus on jscript!JsArraySlice call chains involving ConvertToScalar and InvokeDispatch.
  • ·Exploitation requires user interaction — the attacker must convince a user to visit a specially crafted website or open a malicious attachment; there is no drive-by without user action.
  • ·At time of patch release, the vulnerability was not observed as exploited in the wild, though exploitation was rated 'More Likely' for both latest and older software releases.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.