CVE-2017-11906
published 2017-12-12CVE-2017-11906: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Windows 10 Gold…
PriorityP346medium5.3CVSS 3.0
AVNACHPRNUIRSUCHINAN
EXPLOIT
EPSS
25.12%
97.7th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11887 and CVE-2017-11919.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | chakracore | < 1.7.5 | 1.7.5 |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a JavaScript RegExp constructed with ~99 capturing groups (Array(100).join('()')) followed by ''.search(r) and access of RegExp.lastParen — monitor for jscript.dll executing RegExpFncObj::LastParen with an out-of-bounds group index (rax=0x63 / 99 groups). ↗
- →Crash/AV occurs inside jscript!RegExpFncObj::LastParen at offset +0x43 via a movsxd instruction reading dword ptr [rbx+rcx*8+0ACh] — an access violation at this location in jscript.dll is a strong indicator of CVE-2017-11906 exploitation. ↗
- →Call stack for exploitation runs through jscript!COleScript::ParseScriptText → MSHTML!CActiveScriptHolder::ParseScriptText → MSHTML!CScriptCollection::ParseScriptText; detecting this chain in Internet Explorer crash telemetry indicates in-browser jscript OOB read. ↗
- →Vulnerability is in the Microsoft Scripting Engine (jscript.dll) as used by Internet Explorer; exploitation is rated 'Exploitation More Likely' for both latest and older software releases — prioritise patching KB4054520, KB4052978, KB4053580, KB4053581, KB4053578, KB4053579, KB4054518, KB4054519, KB4054517. ↗
- ·The exploit PoC targets the legacy jscript engine (jscript.dll), not Chakra/ChakraCore; it is triggered only when Internet Explorer uses the legacy scripting engine, not Edge or ChakraCore-based hosts. ↗
- ·CVE-2017-11906 is distinct from CVE-2017-11887 and CVE-2017-11919, which are separate Scripting Engine Information Disclosure vulnerabilities; ensure detection rules do not conflate these three CVEs. ↗
- ·Exploitation requires user interaction — an attacker must trick the user into visiting a malicious or compromised website; drive-by exploitation without user action is not possible. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vendor_msrc2.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gj97-p9vj-fmwj: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 5.3
CVE-2017-11906 [MEDIUM] CWE-200 GHSA-gj97-p9vj-fmwj: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11887 and CVE-2017-11919.
GHSA
GHSA-6w28-cfm8-7667: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 5.3
CVE-2017-11887 [MEDIUM] CWE-200 GHSA-6w28-cfm8-7667: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how Internet Explorer handle objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11906 and CVE-2017-11919.
GHSA
GHSA-r7cg-pp63-f4xg: ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 5.3
CVE-2017-11919 [MEDIUM] CWE-200 GHSA-r7cg-pp63-f4xg: ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016, and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11887 and CVE-2017-11906.
Microsoft
Internet Explorer Information Disclosure Vulnerability
vendor_msrc·2017-12-12·CVSS 2.4
CVE-2017-11906 [MEDIUM] Internet Explorer Information Disclosure Vulnerability
Internet Explorer Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.
To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an at
No detection rules found.
http://www.securityfocus.com/bid/102078http://www.securitytracker.com/id/1039993https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11906https://www.exploit-db.com/exploits/43372/http://www.securityfocus.com/bid/102078http://www.securitytracker.com/id/1039993https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11906https://www.exploit-db.com/exploits/43372/
2017-12-12
Published