CVE-2017-0149
Published: 17 March 2017
Summary
CVE-2017-0149 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-3 (Malicious Code Protection).
Deeper analysis
Microsoft Internet Explorer versions 9 through 11 are affected by a memory corruption vulnerability tracked as CVE-2017-0149 and assigned CWE-787. The flaw permits remote attackers to trigger arbitrary code execution or a denial of service condition when a user visits a specially crafted web site. It is distinct from the issues described in CVE-2017-0018 and CVE-2017-0037, and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, no required privileges, and required user interaction.
An attacker can host or compromise a web site containing malicious content that exploits the memory corruption when rendered by a vulnerable IE instance. Successful exploitation grants the ability to execute arbitrary code in the context of the current user or to crash the browser, with confidentiality, integrity, and availability impacts all rated high.
Microsoft published an advisory for CVE-2017-0149 through its Security Response Center portal that addresses the issue and provides guidance for affected customers. No information on observed in-the-wild exploitation is supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0516
Vulnerability details
Microsoft Internet Explorer 9 through 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." This vulnerability is different from those described in…
more
CVE-2017-0018 and CVE-2017-0037.
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protections that block exploitation of out-of-bounds write flaws such as CWE-787 in IE rendering.
Requires malicious-code detection and blocking mechanisms that can stop the crafted web content before IE processes it.
Restricts or authorizes mobile code (scripts, active content) delivered by web sites, limiting the attack vector used by this IE exploit.