CVE-2017-0059

What Is Microsoft Internet Explorer?

Microsoft Internet Explorer (IE) processes HTML, CSS, JavaScript, and embedded objects in a memory-managed environment. Internet Explorer enforces a same-origin policy to prevent cross-origin information access — web pages from one domain should not be able to read content or process memory from another origin. Information disclosure vulnerabilities in IE occur when this isolation fails: process memory contents, file system information, or cross-origin data become accessible to an attacker-controlled web page, allowing reconstruction of memory addresses or system state.

Overview

CVE-2017-0059 is an information disclosure vulnerability in Microsoft Internet Explorer that allows remote attackers to read sensitive information from process memory via a crafted web page. The C:L (Low confidentiality impact) CVSS rating reflects that the vulnerability leaks partial — rather than arbitrary — process memory. Despite limited standalone impact, information disclosure from IE process memory is a key technique for defeating Address Space Layout Randomization (ASLR) before executing a companion memory corruption exploit. Patched in MS17-007 (March 14, 2017). CISA added CVE-2017-0059 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: IE Process Memory Disclosure

CVE-2017-0059 is an information disclosure vulnerability (CWE-200) where Internet Explorer improperly handles objects in memory, allowing a malicious web page to read limited amounts of IE process memory. The exact mechanism involves IE failing to properly initialize or clear memory before returning it to JavaScript, or a cross-origin boundary failure that exposes memory content to script running in an attacker-controlled context.

ASLR bypass application: ASLR randomizes the base addresses of modules (ntdll.dll, kernelbase.dll, mshtml.dll) in the IE process on each run. Memory corruption exploits need to know specific function addresses to craft their ROP chains. An information disclosure vulnerability that leaks process memory can:

• Reveal heap or stack pointers — calculating the offset to module base addresses
• Leak a module's code pointer — revealing its base address directly
• Expose internal object pointers — enabling precise heap address calculation

Once ASLR is defeated, a companion type confusion or OOB write vulnerability (e.g., CVE-2017-0037) can be exploited reliably without ASLR guessing.

Attack Characteristics

Discovery

Identified through Microsoft's internal security research; patched in March 2017 Patch Tuesday (MS17-007) alongside IE/Edge type confusion and scripting engine vulnerabilities.

Exploitation Context

• ASLR bypass in exploit kits: Information disclosure vulnerabilities in IE were systematically incorporated into exploit kits — alongside memory corruption exploits — to defeat ASLR; CVE-2017-0059 was used in RIG and Magnitude exploit kit chains as the ASLR bypass step before the code execution payload
• Exploit pair with CVE-2017-0037: CVE-2017-0059 and CVE-2017-0037 (IE/Edge type confusion) were patched together in MS17-007 and were exploited together in attack chains: CVE-2017-0059 leaks memory addresses, CVE-2017-0037 delivers code execution with the now-known layout
• CISA KEV (2022): Added March 28, 2022 alongside CVE-2017-0037, reflecting documented exploitation of both vulnerabilities in exploit kit campaigns

Remediation

1. Apply MS17-007 — install the March 2017 Internet Explorer security update via Windows Update or WSUS.

2. Migrate away from Internet Explorer — Microsoft ended IE 11 desktop support on June 15, 2022; migrating to Microsoft Edge (Chromium), Chrome, or Firefox eliminates IE attack surface.

3. Keep Windows fully updated — cumulative updates include all prior IE security patches.