cbcvebase.
CVE-2016-0199
published 2016-06-16

CVE-2016-0199: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP267high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
51.00%
98.8th percentile
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0200 and CVE-2016-3211.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10_on_windows_server_2012
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2
msrcinternet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2
msrcinternet_explorer_9_on_windows_vista_service_pack_2
msrcinternet_explorer_9_on_windows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

commandoElement = document.createElement("IMG"); var oAttr = document.createAttribute("loop"); oAttr.nodeValue = oElement; oElement.loop = 0x41424344; oElement.setAttributeNode(oAttr); oElement.removeAttributeNode(oAttr); CollectGarbage();
  • Look for JavaScript patterns invoking CollectGarbage() following setAttribute/removeAttributeNode manipulation on IMG elements — hallmark of the IE11 garbage collector attribute type confusion exploit (MS16-063).
  • The exploit targets Internet Explorer 11 specifically; monitor for IE11 process anomalies (e.g., iexplore.exe spawning child processes) following visits to untrusted or user-content-hosting websites.
  • Exploitation likelihood is rated 'More Likely' for both latest and older software releases; prioritize detection on unpatched IE instances (KB3160005, KB3163017, KB3163018 absent).
  • ·Internet Explorer on Windows Server 2008/2008 R2/2012/2012 R2 runs in Enhanced Security Configuration (restricted mode) by default, which reduces but does not eliminate exploitation risk.
  • ·EMET can be configured to work with Internet Explorer to help mitigate exploitation of this memory corruption vulnerability.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.