cbcvebase.
CVE-2017-8635
published 2017-08-08

CVE-2017-8635: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511…

PriorityP269high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
55.88%
98.9th percentile
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that JavaScript engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoft_corporationmicrosoft_scripting_engine
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

commandfor (let i = 0; i < 0x1000; ++i) o['a0'] = 1;
  • The vulnerability is triggered by repeatedly assigning to a previously deleted property on a non-extensible object in a loop (0x1000 iterations), causing TryUndeleteProperty to be called repeatedly until deletedPropertyIndex becomes NoSlots, leaving propertyIndex uninitialized and corrupting memory.
  • The exploit pattern involves: (1) creating an object with many properties, (2) deleting all of them, (3) making the object non-extensible, then (4) repeatedly setting a deleted property to trigger the bug in SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty via the Chakra JS engine.
  • In release builds, the uninitialized propertyIndex leads to memory corruption (no assertion fires); in debug builds the crash manifests as Assert(reused) — monitor for Chakra/JScript engine crashes or heap corruption in Microsoft Edge or IE processes after heavy property deletion/reassignment patterns.
  • Attack vector is web-based: attacker hosts a specially crafted website or embeds an ActiveX control marked 'safe for initialization' in an Office document to exploit the Chakra scripting engine through Microsoft browsers.
  • ·Exploit status at time of patching was 'Publicly Disclosed: No; Exploited: No' but rated 'Exploitation More Likely' for the latest software release — treat as high-priority for detection despite no confirmed in-the-wild exploitation at patch time.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.