Cyber Resilience

CVE-2017-0059

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 March 2017

Published
17 March 2017
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.8364 99.3th percentile
Risk Priority 79 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0059 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2017-0059 is an information disclosure vulnerability affecting Microsoft Internet Explorer 9 through 11. It enables remote attackers to read sensitive data from process memory when a user visits a specially crafted web site. The issue is distinct from the related flaws tracked as CVE-2017-0008 and CVE-2017-0009.

An unauthenticated remote attacker can exploit the flaw by serving malicious content over the network; successful exploitation requires the victim to interact with the page (for example, by browsing to it) and results in limited leakage of memory contents. The CVSS 3.1 score of 4.3 reflects network attack vector, low complexity, and no impact on integrity or availability.

Microsoft published guidance for the issue in security advisory CVE-2017-0059, and public proof-of-concept code has been posted to Exploit-DB.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protection mechanisms that would block unauthorized disclosure of process memory contents to a remote attacker via a crafted IE page.

prevent

Requires process isolation so that IE cannot leak memory contents belonging to other processes or the system when rendering attacker-controlled web content.

prevent

Mandates that shared system resources are cleared before reallocation, limiting residual sensitive data that the IE information-disclosure flaw could expose.

References