CVE-2016-0072
published 2016-02-10CVE-2016-0072: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP353high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
20.71%
97.2th percentile
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0060, CVE-2016-0061, CVE-2016-0063, and CVE-2016-0067.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7v63-r5mp-v46r: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0072 [HIGH] CWE-119 GHSA-7v63-r5mp-v46r: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0060, CVE-2016-0061, CVE-2016-0063, and CVE-2016-0067.
GHSA
GHSA-2pq2-xg2g-983m: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corr
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0060 [HIGH] CWE-119 GHSA-2pq2-xg2g-983m: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corr
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0061, CVE-2016-0063, CVE-2016-0067, and CVE-2016-0072.
GHSA
GHSA-cc96-7m7g-23hp: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0067 [HIGH] CWE-119 GHSA-cc96-7m7g-23hp: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0060, CVE-2016-0061, CVE-2016-0063, and CVE-2016-0072.
GHSA
GHSA-2x34-7fj8-wmcv: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corr
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0061 [HIGH] CWE-119 GHSA-2x34-7fj8-wmcv: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corr
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0060, CVE-2016-0063, CVE-2016-0067, and CVE-2016-0072.
GHSA
GHSA-7wp4-xgrr-7jp4: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0063 [HIGH] CWE-119 GHSA-7wp4-xgrr-7jp4: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0060, CVE-2016-0061, CVE-2016-0067, and CVE-2016-0072.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin resp
Talos
Microsoft Patch Tuesday - February 2016
blogs_talos·2016-02-09·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - February 2016
## Microsoft Patch Tuesday - February 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.
## Bulletins Rated Critical
Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.
MS16-009 and MS16-011 are this month's Inter
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-09-2016
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 02-09-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2016-2051 chromium-browser: Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17
bugzilla·2016-01-25·CVSS 9.8
CVE-2016-2051 [CRITICAL] CVE-2016-2051 chromium-browser: Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17
CVE-2016-2051 chromium-browser: Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17
Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17 were reported, as used in Google Chrome before 48.0.2564.82, allowing attackers to cause a denial of service or possibly have other impact via unknown vectors.
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1614 chromium-browser: information leak in Blink
bugzilla·2016-01-22·CVSS 4.3
CVE-2016-1614 [MEDIUM] CVE-2016-1614 chromium-browser: information leak in Blink
CVE-2016-1614 chromium-browser: information leak in Blink
A information leak flaw was found in the Blink component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=544691
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1620 chromium-browser: various fixes from internal audits
bugzilla·2016-01-22·CVSS 8.8
CVE-2016-1620 [HIGH] CVE-2016-1620 chromium-browser: various fixes from internal audits
CVE-2016-1620 chromium-browser: various fixes from internal audits
Various fixes from internal audits, fuzzing and other initiatives.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=579625
External References:
http://googlechromereleases.blogspot.fr/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1617 chromium-browser: various fixes from internal audits
bugzilla·2016-01-22·CVSS 4.3
CVE-2016-1617 [MEDIUM] CVE-2016-1617 chromium-browser: various fixes from internal audits
CVE-2016-1617 chromium-browser: various fixes from internal audits
History sniffing with HSTS and CSP.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=544765
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1618 chromium-browser: weak random number generator in Blink
bugzilla·2016-01-22·CVSS 6.5
CVE-2016-1618 [MEDIUM] CVE-2016-1618 chromium-browser: weak random number generator in Blink
CVE-2016-1618 chromium-browser: weak random number generator in Blink
A weak random number generator flaw was found in the Blink component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=552749
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1619 chromium-browser: out-of-bounds read in PDFium
bugzilla·2016-01-22·CVSS 7.6
CVE-2016-1619 [HIGH] CVE-2016-1619 chromium-browser: out-of-bounds read in PDFium
CVE-2016-1619 chromium-browser: out-of-bounds read in PDFium
A out-of-bounds read flaw was found in the PDFium component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=557223
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1613 chromium-browser: use-after-free in PDFium
bugzilla·2016-01-22·CVSS 7.6
CVE-2016-1613 [HIGH] CVE-2016-1613 chromium-browser: use-after-free in PDFium
CVE-2016-1613 chromium-browser: use-after-free in PDFium
A use-after-free flaw was found in the PDFium component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=572871
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1612 chromium-browser: bad cast in V8
bugzilla·2016-01-22·CVSS 7.6
CVE-2016-1612 [HIGH] CVE-2016-1612 chromium-browser: bad cast in V8
CVE-2016-1612 chromium-browser: bad cast in V8
A bad cast flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=497632
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1616 chromium-browser: various fixes from internal audits
bugzilla·2016-01-22·CVSS 4.3
CVE-2016-1616 [MEDIUM] CVE-2016-1616 chromium-browser: various fixes from internal audits
CVE-2016-1616 chromium-browser: various fixes from internal audits
URL Spoofing.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=541415
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2016-1615 chromium-browser: origin confusion in Omnibox
bugzilla·2016-01-22·CVSS 6.5
CVE-2016-1615 [MEDIUM] CVE-2016-1615 chromium-browser: origin confusion in Omnibox
CVE-2016-1615 chromium-browser: origin confusion in Omnibox
A origin confusion flaw was found in the Omnibox component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=468179
External References:
http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Bugzilla
CVE-2015-7975 ntp: nextvar() missing length check in ntpq
bugzilla·2016-01-20·CVSS 6.2
CVE-2015-7975 [MEDIUM] CVE-2015-7975 ntp: nextvar() missing length check in ntpq
CVE-2015-7975 ntp: nextvar() missing length check in ntpq
It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer.
A remote attacker could potentially use this flaw to crash an ntpq client instance.
Upstream patch:
https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5
Discussion:
External References:
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0072/
---
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1300277]
---
Statement:
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the affected code, which w
http://www.securitytracker.com/id/1034971http://www.zerodayinitiative.com/advisories/ZDI-16-157https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-009http://www.securitytracker.com/id/1034971http://www.zerodayinitiative.com/advisories/ZDI-16-157https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-009
2016-02-10
Published