cbcvebase.
CVE-2017-11903
published 2017-12-12

CVE-2017-11903: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP265high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
46.18%
98.7th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftchakracore< 1.7.51.7.5
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

processjscript!NameTbl::GetValDef+0x58
commandvar vars = new Array(100); for(var i=0;i<100;i++) { vars[i] = new Array(500); } CollectGarbage(); [].join.call(vars[0]);
  • Use-After-Free triggered in jscript.dll via NameTbl::GetValDef when Array.join is called after garbage collection reclaims the underlying object; monitor for access violations at jscript!NameTbl::GetValDef+0x58 (mov rax,qword ptr [r14]) where r14 points to freed heap memory.
  • Crash call stack involves jscript!JsArrayJoin -> jscript!ConvertToString -> jscript!VAR::GetValue -> jscript!NameTbl::InvokeInternal -> jscript!NameTbl::GetValDef; alert on this call chain in jscript.dll crash telemetry or ETW traces.
  • Exploit is delivered via a specially crafted web page targeting Internet Explorer's jscript scripting engine; in a web-based attack scenario, monitor IE process (iexplore.exe) spawning child processes or loading jscript.dll with subsequent heap corruption events.
  • ActiveX controls marked 'safe for initialization' embedded in Office documents can also trigger the vulnerability via the IE rendering engine; monitor Office applications loading MSHTML/jscript.dll.
  • ·The exploit targets the legacy jscript.dll engine (not Chakra/JScript9); affected systems must have Internet Explorer configured to use the legacy scripting engine. The vulnerability is in Microsoft Scripting Engine as used by Internet Explorer.
  • ·Exploitation likelihood is rated 'More Likely' for both latest and older software releases per Microsoft's exploitability index; prioritize patching accordingly.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.