CVE-2018-8373
Published: 15 August 2018
Summary
CVE-2018-8373 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A remote code execution vulnerability exists in the scripting engine's handling of objects in memory within Internet Explorer, resulting in memory corruption classified under CWE-787. The issue affects Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11, and is distinct from several related scripting engine flaws disclosed around the same time.
An attacker can exploit the flaw over the network without authentication by serving malicious content that triggers the memory corruption when rendered in a vulnerable browser instance. Successful exploitation requires user interaction such as visiting a crafted webpage and can yield full control over confidentiality, integrity, and availability on the target system, consistent with the CVSS 7.5 rating reflecting high attack complexity.
Microsoft published an advisory addressing CVE-2018-8373 along with related security bulletins that practitioners should consult for patch availability and configuration guidance. No information on observed in-the-wild exploitation is provided in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-20017
Vulnerability details
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID…
more
is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the scripting-engine memory-corruption flaw before exploitation.
Implements memory-protection safeguards that block the unauthorized code execution resulting from the out-of-bounds write (CWE-787) in the IE scripting engine.
Establishes usage restrictions and implementation guidance for mobile code (scripts) that can stop the malicious webpage content from reaching the vulnerable scripting engine.