cbcvebase.
CVE-2017-8618
published 2017-07-11

CVE-2017-8618: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511…

PriorityP266high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
58.08%
99.0th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 Internet Explorer in the way affected Microsoft scripting engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This CVE ID is unique from CVE-2017-8596, CVE-2017-8610, CVE-2017-8601, CVE-2017-8603, CVE-2017-8604, CVE-2017-8605, CVE-2017-8606, CVE-2017-8607, CVE-2017-8608, CVE-2017-8619, CVE-2017-9598 and CVE-2017-8609.

Affected

23 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationwindows_10_1703
msrcinternet_explorer_10_on_windows_server_2012
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1703_for_x64-based_systems
msrcinternet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1
msrcinternet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_11_on_windows_server_2016
msrcinternet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2
msrcinternet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: VBScript arithmetic functions (VbsVarMod, VbsVarAdd, VbsVarSub, VbsVarMul, VbsVarDiv, VbsVarIDiv, VbsVarPow) are exploited via type confusion when a Default Property Get callback changes a variable to an Array (vartype 8192) during PvarGetArithVal(), causing out-of-bounds access in the result lookup table.
  • PoC exploit pattern: VBScript using a Class with a Default Property Get that reassigns a variable to an Array mid-operation, then performs a `mod` operation between an integer and the class instance to trigger the type confusion.
  • Affected component and version: vbscript.dll as used in Internet Explorer 11.1066.14393.0 (Update version 11.0.41) on 64-bit Windows 10; result type 5 (Double) achievable on this build, causing heap pointer leak.
  • Attack vector: web-based delivery via a specially crafted website loaded in Internet Explorer, or via an ActiveX control marked 'safe for initialization' embedded in an Office document hosting the IE rendering engine.
  • ·Exploitability of the type confusion (result type achievable via out-of-bounds lookup) is build-dependent; the specific out-of-bounds result type varies per vbscript.dll build, affecting whether the primitive yields an info leak (type 5/Double) or potential RCE (String/Object type).
  • ·The vulnerability is not limited to VbsVarMod; all arithmetic functions calling PvarGetArithVal with a result lookup table are affected (VbsVarAdd, VbsVarSub, VbsVarMul, VbsVarDiv, VbsVarIDiv, VbsVarPow), with varying exploitability depending on how aggressively each function checks the result type.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.