Sid 1-37283

Report a false positive

Rule Category

BROWSER-IE -- Snort has detected traffic known to exploit vulnerabilities present in the Internet Explorer browser, or products that have the Trident or Tasman engines.

Alert Message

BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt

Rule Explanation

The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 engines, as used in Internet Explorer 8 through 11 and other products, allow remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability." Impact: CVSS base score 7.5 CVSS impact score 5.9 CVSS exploitability score 1.6 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH Details: Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Talos research team. This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology. For more information see [nvd].

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE-2016-0002 CVE-2017-11886 CVE-2018-1004 CVE-2018-1023

Additional Links

portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11886
portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1004
portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1023
technet.microsoft.com/en-us/security/bulletin/MS16-001

Rule Vulnerability

CVE Additional Information

CVE-2016-0002
The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 engines, as used in Internet Explorer 8 through 11 and other products, allow remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
Details
Severity Base Score7.5
Impact Score5.9 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access

Affected Systems
CVE-2017-11886
Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11907, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.
Details
Severity Base Score7.5
Impact Score5.9 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access

Affected Systems
CVE-2018-1004
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Internet Explorer 9, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10.
Details
Severity Base Score8.8
Impact Score5.9 Exploit Score2.8
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access

Affected Systems
CVE-2018-1023
A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka "Microsoft Browser Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore.
Details
Severity Base Score7.5
Impact Score5.9 Exploit Score1.6
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access

Affected Systems