CVE-2017-0210
Published: 12 April 2017
Summary
CVE-2017-0210 is a high-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-46 (Cross Domain Policy Enforcement).
Deeper analysis
An elevation of privilege vulnerability tracked as CVE-2017-0210 affects Internet Explorer when the browser fails to properly enforce cross-domain policies. This flaw permits an attacker to access information from one domain and inject it into another, as described in the official disclosure published on 2017-04-12 with a CVSS 3.1 base score of 8.8.
An unauthenticated remote attacker can exploit the issue over the network by convincing a user to visit a malicious web page, after which the attacker can read or modify content across domain boundaries with high impact to confidentiality, integrity, and availability. No prior authentication or special privileges are required on the target system.
The Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0210 and related vendor bulletins provide official mitigation guidance and patch information for affected Internet Explorer installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0576
Vulnerability details
An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, aka "Internet Explorer Elevation of Privilege Vulnerability."
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires enforcement of cross-domain policies, which the CVE shows IE failed to do, blocking unauthorized information flow between domains.
Enforces rules that prevent information from one domain being read or injected into another, directly mitigating the described cross-domain violation.
Enforces access decisions based on domain boundaries so that content cannot be accessed or modified across domains without authorization.