CVE-2019-1367
Published: 23 September 2019
Summary
CVE-2019-1367 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-16 (Memory Protection).
Deeper analysis
A remote code execution vulnerability exists in the scripting engine's handling of objects in memory within Internet Explorer, classified as a memory corruption issue under CWE-787. This flaw, tracked as CVE-2019-1367 and distinct from CVE-2019-1221, carries a CVSS 3.1 score of 7.5 reflecting network attack vector, high attack complexity, no required privileges, and required user interaction.
An attacker can exploit the issue remotely by supplying specially crafted content that triggers the memory corruption when processed by the affected scripting engine in Internet Explorer, potentially resulting in arbitrary code execution with impacts to confidentiality, integrity, and availability.
Microsoft has published guidance through its Security Response Center addressing the vulnerability, and the flaw appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-9924
Vulnerability details
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protection mechanisms that block the out-of-bounds write (CWE-787) exploitation path used by this scripting-engine RCE.
Restricts or sandbox-executes mobile code (IE scripting engine objects) so that specially crafted web content cannot achieve arbitrary code execution.
Requires timely application of the vendor patch that eliminates the memory-corruption flaw before an attacker-supplied page can trigger it.