cbcvebase.
CVE-2017-11873
published 2017-11-15

CVE-2017-11873: ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to gain the same…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
69.80%
99.3th percentile
ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to gain the same user rights as the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11840, CVE-2017-11841, CVE-2017-11843, CVE-2017-11846, CVE-2017-11858, CVE-2017-11859, CVE-2017-11861, CVE-2017-11862, CVE-2017-11866, CVE-2017-11869, CVE-2017-11870, and CVE-2017-11871.

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
msrcchakracore
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1703_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1709_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

commandfunction opt(
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,to_client; file.data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, cve CVE_2017_11873, deployment Perimeter, performance_impact Significant, confidence High, signature_severity Major, updated_at 2024_03_14;)
bytes
[1.1, 2.2
bytes
Array(100)
bytes
i = 0|3b| i < 100
  • The exploit payload is delivered over HTTP to the client (browser). Network detection should inspect HTTP response bodies (file.data) for the characteristic JavaScript patterns used in the OP_Memset type confusion exploit.
  • The vulnerability is triggered via a specially crafted website or compromised site hosting malicious JavaScript targeting Microsoft Edge's Chakra JIT engine (OP_Memset type confusion). Social engineering is required to lure the user to the page.
  • The exploit abuses ChakraCore's JIT compiler via OP_Memset type confusion. Monitor for Edge/ChakraCore processes spawning unexpected child processes or exhibiting anomalous memory behavior following JavaScript execution.
  • A public proof-of-concept exploit exists (Exploit-DB 43154 and theori-io/pwnjs). Treat any network traffic matching the Snort SID 2024993 signature as high-confidence exploitation attempt.
  • ·The Snort rule uses 'file.data' for HTTP response body inspection and a PCRE with relative matching (/R flag). Ensure your IDS/IPS is configured to perform full HTTP response body reassembly and supports PCRE relative matching, otherwise the rule will not fire correctly.
  • ·The rule metadata flags 'performance_impact Significant' — enabling this rule at perimeter scale may introduce latency. Tune deployment accordingly.
  • ·Microsoft's exploit status notes 'Latest Software Release: Exploitation More Likely' — prioritize patching to ChakraCore v1.7.4 or applying KB4048954/KB4048952/KB4048953/KB4048955 as applicable.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.