cbcvebase.
CVE-2017-11907
published 2017-12-12

CVE-2017-11907: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
64.16%
99.1th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftchakracore< 1.7.51.7.5
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9

Detection & IOCsextracted from sources · hover to see the quote

processjscript!JsArrayStringHeapSort
processjscript!JsArraySort
  • The vulnerability is triggered via jscript.dll's Array.sort heap overflow — monitor for Internet Explorer / jscript.dll crashes or access violations originating from jscript!JsArrayStringHeapSort or jscript!NameTbl::GetValCore.
  • Access violation code c0000005 in jscript.dll call stack involving JsArrayStringHeapSort → JsArraySort is a strong indicator of CVE-2017-11907 exploitation attempt.
  • The corrupted register value rax=c0c0c0c0c0c00003 is a recognisable heap-spray / corruption pattern; presence of this value in a crash dump associated with jscript.dll is indicative of exploitation.
  • Exploitation path runs through Internet Explorer's MSHTML rendering engine invoking jscript via CActiveScriptHolder::ParseScriptText — web-based delivery via a specially crafted website or ActiveX control marked 'safe for initialization' should be monitored.
  • ·The exploit proof-of-concept targets jscript.dll (legacy JScript engine used by Internet Explorer), not Chakra/Edge — detection should focus on iexplore.exe process context, not msedge.exe or chakra.dll.
  • ·Microsoft's exploit assessment rates this as 'Exploitation More Likely' for both latest and older software releases, meaning active weaponisation was considered probable at patch time.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.