JavaScript Engine Memory Corruption Vulnerability in Microsoft Browsers
CVE-2017-8641

7.5HIGH

Key Information:

Vendor
Microsoft
Status
Microsoft Scripting Engine
Vendor
CVE Published:
8 August 2017

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 79%

Summary

This vulnerability allows attackers to execute arbitrary code on systems running affected Microsoft browsers due to improper memory handling in the JavaScript engine. When the browser processes scripts, memory corruption can occur, potentially leading to unauthorized actions within the context of the user. This can expose sensitive information or allow the installation of malicious software.

Affected Version(s)

Microsoft Scripting Engine Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2017-8641_chakra_Js_GlobalObject
Created by homjxi0e

References

http://www.securityfocus.com/bid/100057
vdb-entryx_refsource_BID
https://portal.msrc.microsoft.com/en-US/security-guidance...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1039095
vdb-entryx_refsource_SECTRACK

EPSS Score

79% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.