CVE-2019-0752
Published: 09 April 2019
Summary
CVE-2019-0752 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Windows 10 1709. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
A remote code execution vulnerability tracked as CVE-2019-0752 exists in the scripting engine of Internet Explorer due to improper handling of objects in memory, resulting in memory corruption. The issue is classified under CWE-843 and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high complexity, no required privileges, and required user interaction.
An unauthenticated remote attacker can trigger the flaw by causing a victim to visit a malicious web page in Internet Explorer, achieving arbitrary code execution that impacts confidentiality, integrity, and availability on the affected system. The vulnerability is distinct from several related scripting engine issues disclosed around the same time.
Microsoft has published guidance for CVE-2019-0752 through its security advisory portal, and additional technical details are available from the Zero Day Initiative. Public exploit code referencing affected builds such as Windows 10 1809 version 17763.316 has also been posted to Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-1511
Vulnerability details
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the memory-corruption flaw in the IE scripting engine.
Restricts or disables mobile code (scripts) executed by Internet Explorer, blocking the attack vector that triggers the RCE.
Deploys malicious-code detection mechanisms that can identify and block web pages exploiting the scripting-engine vulnerability.