CVE-2017-0037
Published: 26 February 2017
Summary
CVE-2017-0037 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2017-0037 is a type confusion flaw in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function within mshtml.dll. It affects Microsoft Internet Explorer versions 10 and 11 as well as Microsoft Edge, and is catalogued under CWE-843.
Remote attackers can exploit the issue to execute arbitrary code. The attack requires a crafted CSS token sequence together with JavaScript code that manipulates a TH element; the CVSS 3.1 score of 8.1 reflects a network vector, high complexity, and no required privileges or user interaction.
Public references include Microsoft security bulletins, SecurityFocus and SecurityTracker entries, a 0patch analysis, and Google Project Zero issue 1011.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0404
Vulnerability details
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and…
more
crafted JavaScript code that operates on a TH element.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the type-confusion flaw in mshtml.dll.
Allows definition and enforcement of restrictions on mobile code (JavaScript/CSS) that is the required attack vector for this CVE.
Implements memory-protection safeguards that can block the unauthorized code execution resulting from the type-confusion condition.