CVE-2017-0059
Published: 17 March 2017
Summary
CVE-2017-0059 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2017-0059 is an information disclosure vulnerability affecting Microsoft Internet Explorer 9 through 11. It enables remote attackers to read sensitive data from process memory when a user visits a specially crafted web site. The issue is distinct from the related flaws tracked as CVE-2017-0008 and CVE-2017-0009.
An unauthenticated remote attacker can exploit the flaw by serving malicious content over the network; successful exploitation requires the victim to interact with the page (for example, by browsing to it) and results in limited leakage of memory contents. The CVSS 3.1 score of 4.3 reflects network attack vector, low complexity, and no impact on integrity or availability.
Microsoft published guidance for the issue in security advisory CVE-2017-0059, and public proof-of-concept code has been posted to Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0426
Vulnerability details
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protection mechanisms that would block unauthorized disclosure of process memory contents to a remote attacker via a crafted IE page.
Requires process isolation so that IE cannot leak memory contents belonging to other processes or the system when rendering attacker-controlled web content.
Mandates that shared system resources are cleared before reallocation, limiting residual sensitive data that the IE information-disclosure flaw could expose.