Vulnerability

CERT-In Vulnerability Note CIVN-2017-0175
Multiple Vulnerabilities in Microsoft Internet Explorer

Original Issue Date:November 22, 2017

Severity Rating: HIGH

Software Affected

Internet Explorer versions 9,10,11
Microsoft Edge
Windows Server 2012
Windows 7 for x64-based Systems Service Pack 1
Windows 10 Version 1511 for x64-based Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 Version 1709 for 64-based Systems
Windows RT 8.1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows 10 for 32-bit Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 8.1 for x64-based systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows Server 2016
Windows 10 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows Server, version 1709 (Server Core Installation)
Windows 8.1 for 32-bit systems
Windows 10 Version 1709 for 32-bit Systems
Windows Server 2012 R2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2

Overview

Multiple Vulnerabilities have been reported in the Microsoft Internet Explorer which could allow an attacker to execute arbitrary code on the targeted system.

Description

1. Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability ( CVE-2017-11869 CVE-2017-11827 CVE-2017-11837 CVE-2017-11838 CVE-2017-11843 CVE-2017-11846 CVE-2017-11855 CVE-2017-11856 CVE-2017-11858 )

These vulnerabilities are exist due to improper memory operations that are performed by the affected software. An attacker who successfully exploited these vulnerabilities could use a specially crafted file to perform actions in the security context of the current user.
Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.

2. Microsoft Internet Explorer Information Disclosure Vulnerability ( CVE-2017-11791 CVE-2017-11834 CVE-2017-11848 )

These vulnerabilities are exist due to improper memory operations that are performed by the affected software. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.
Successful exploitation of these vulnerabilities could allow the attacker to access sensitive information on the targeted system, which could be used to compromise the system completely.

Solution

Apply appropriate software fixes as available on the vendor website.
https://portal.msrc.microsoft.com/en-us/security-guidance

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bae9d0d8-e497-e711-80e5-000d3a32fc99

Vendor Information

References

Security Tracker
https://securitytracker.com/id/1039796
https://securitytracker.com/id/1039781

CVE Name
CVE-2017-11827
CVE-2017-11837
CVE-2017-11838
CVE-2017-11843
CVE-2017-11846
CVE-2017-11855
CVE-2017-11856
CVE-2017-11858
CVE-2017-11791
CVE-2017-11834
CVE-2017-11848
CVE-2017-11869

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India