Search
On this page ▾
CVE-2017-0022 — Microsoft XML Core Services Information Disclosure Vulnerability

CVE-2017-0022

Microsoft XML Core Services (MSXML) — Memory Handling Flaw Allows Attackers to Test File Existence via Malicious Web Page; Enables ASLR Bypass; Patched March 2017
⚠️ CVSS 3.1  6.5 / 10 — MEDIUM 🔴 CISA Known Exploited Vulnerability

What Is Microsoft XML Core Services (MSXML)?

Microsoft XML Core Services (MSXML) is the Windows XML parsing library used by Internet Explorer, Office, and many Windows applications to parse and process XML documents. MSXML is a COM-based library callable from JavaScript (new ActiveXObject("Msxml2.DOMDocument")), VBScript, and native code. Because MSXML is available via script in Internet Explorer, vulnerabilities in MSXML are accessible through malicious web pages — making MSXML a recurring source of browser-exploitable information disclosure and memory corruption vulnerabilities.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 24, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0022 is an information disclosure vulnerability in Microsoft XML Core Services (MSXML) where improper object handling in memory allows an attacker to test for the existence of files on disk via a malicious web page. When a user visits a crafted web page that invokes MSXML via JavaScript or ActiveX, the MSXML library improperly processes XML data in memory, potentially exposing the presence or absence of specific filesystem paths — a classic technique for bypassing ASLR by confirming module presence before mounting a memory corruption exploit. Patched in the March 2017 Windows security update. CISA added CVE-2017-0022 to the KEV catalog in May 2022.

Affected Versions

Microsoft XML Core Services Status
MSXML in Internet Explorer on Windows Vista SP2 Vulnerable
MSXML in Internet Explorer on Windows 7 SP1 Vulnerable
MSXML in Internet Explorer on Windows 8.1 Vulnerable
MSXML in Internet Explorer on Windows Server 2008/2012 Vulnerable
MSXML in Internet Explorer on Windows 10 Vulnerable
With March 2017 cumulative update applied Fixed

Technical Details

Root Cause: MSXML Memory Object Handling Information Leak

CVE-2017-0022 is an information disclosure vulnerability (CWE-200) arising from how MSXML handles objects in memory. MSXML processes XML documents by parsing them into DOM trees (Document Object Model) in memory, managing nodes, attributes, and text content as COM objects. Under specific conditions triggered by crafted XML, MSXML's memory handling exposes information about system state — specifically, the ability to probe whether specific files exist on the local filesystem.

File existence probing via MSXML: The vulnerability allows a malicious web page (accessed in Internet Explorer) to determine whether specific files or DLLs are present on the victim's system by exploiting a timing or error difference in MSXML's handling of XML that references local file paths. A JavaScript payload can probe for:

  • Security software installations (AV engine DLLs, EDR drivers)
  • Windows components and optional features
  • Module presence for ASLR bypass (kernel32.dll, ntdll.dll base addresses via indirect probing)

Role in exploit chains: Information disclosure vulnerabilities like CVE-2017-0022 are valuable as ASLR bypass tools in exploit chains:

  1. Probe for specific DLL or module presence at known ASLR-randomized locations
  2. Use the disclosed information to determine the memory layout of the target process
  3. Use the known layout to aim a subsequent memory corruption exploit at the correct address

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious web page loaded in Internet Explorer
User Interaction Required — victim visits the attacker's page
Authentication None required
Information Disclosed File system path existence, potentially memory layout hints
Role in Chains ASLR bypass / reconnaissance before code execution exploit

Discovery

Identified through Microsoft's internal security research or external coordinated disclosure; patched in March 2017 Patch Tuesday alongside other MSXML and IE vulnerabilities.

Exploitation Context

  • ASLR bypass in exploit kit chains: Information disclosure vulnerabilities in MSXML were incorporated into exploit kits as ASLR bypass techniques — probing file existence to determine which DLLs are loaded at what addresses, defeating Windows ASLR before applying a memory corruption payload
  • Exploit kit evolution: Exploit kits (Angler, Magnitude, RIG) continuously updated their MSXML file probing techniques as Microsoft patched each disclosure variant; CVE-2017-0022 represents one iteration in this ongoing cat-and-mouse game
  • Internet Explorer targeting: CVE-2017-0022 required Internet Explorer as the attack vector; while IE market share declined through 2017, it remained significant in enterprise environments where IE was mandated for compatibility with internal web applications
  • CISA KEV (2022): Added May 2022 based on documented use in active exploit kit campaigns where MSXML file probing was part of a multi-stage exploitation chain

Remediation

CISA BOD 22-01 Deadline: June 14, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply March 2017 Windows cumulative update — install the March 2017 security update for Windows via Windows Update or WSUS. All subsequent cumulative updates include this fix.

  2. Migrate away from Internet Explorer — IE is the required attack vector for MSXML script exploitation; migrating to Microsoft Edge, Chrome, or Firefox eliminates this attack surface. Microsoft ended Internet Explorer 11 desktop support on June 15, 2022.

  3. Disable MSXML ActiveX in Internet Explorer — configure IE Enhanced Protected Mode and restrict ActiveX controls through Group Policy to reduce MSXML exposure from IE.

  4. Keep Windows fully updated — all current Windows cumulative updates include MSXML security patches.

Key Details

PropertyValue
CVE ID CVE-2017-0022
Vendor / Product Microsoft — XML Core Services
NVD Published2017-03-17
NVD Last Modified2025-10-22
CVSS 3.1 Score6.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SeverityMEDIUM
CWE CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor find similar ↗
CISA KEV Added2022-05-24
CISA KEV Deadline2022-06-14
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2022-06-14. Apply updates per vendor instructions.

Timeline

DateEvent
2017-03-14Microsoft releases March 2017 Patch Tuesday; CVE-2017-0022 patched in MSXML update
2017-03-17CVE-2017-0022 published by NVD
2022-05-24Added to CISA Known Exploited Vulnerabilities catalog
2022-06-14CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0022 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Update March 2017 — Windows and XML Core Services Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML