cbcvebase.
CVE-2016-3247
published 2016-09-14

CVE-2016-3247: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a…

PriorityP267high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
71.48%
99.3th percentile
Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability."

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

command*::first-letter{ border: 0; } *{ white-space: pre-line; }
  • Trigger is a crafted HTML page combining CSS rules `*::first-letter{ border: 0; }` and `*{ white-space: pre-line; }` — detect pages serving both selectors together as a suspicious pattern targeting CTextExtractor::GetBlockText in Microsoft Edge/IE11.
  • The vulnerability is an integer underflow in a 32-bit index variable inside CTextExtractor::GetBlockText, causing an out-of-bounds read of ~8 GB (0x200000000 bytes) beyond the buffer on 64-bit Edge. Monitor for Edge/IE11 processes consuming abnormally large memory (5–10 GB) consistent with a heap spray attempting to populate the OOB address range.
  • PoC heap spray uses a specific allocation-size sequence ([-0x4000, 0x1000, -0x5000, 0x5000, -0x7000, 0x6000, -0x8000]) consuming ~5.3 GB RAM to reach the OOB address; a page causing Edge to allocate 5–10 GB of heap memory via JavaScript ArrayBuffers or typed arrays is a strong indicator of exploitation.
  • Unlike a typical crash-inducing repro, a successful exploit attempt will NOT crash Edge because the heap spray pre-allocates the OOB region; absence of an access-violation crash in Edge while the page is loaded and memory usage is extremely high should be treated as a suspicious indicator rather than a clean signal.
  • ·Exploitation only manifests as an ~8 GB OOB read on 64-bit Edge/IE11; on 32-bit systems the integer wrap causes a read only one WCHAR before the buffer start and does not crash, making 32-bit systems harder to detect via crash telemetry.
  • ·Internet Explorer running in Enhanced Security Configuration (ESC) on Windows Server 2008/2008 R2/2012/2012 R2 reduces exploitation likelihood; ESC is a mitigating factor only for sites not in the Trusted Sites zone.
  • ·EMET can help mitigate exploitation of this memory-corruption vulnerability in Internet Explorer when installed and configured to work with IE.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.