cbcvebase.
CVE-2016-3298
published 2016-10-14

CVE-2016-3298: Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow…

PriorityP180medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
32.79%
98.1th percentile
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."

Affected

12 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftwindows_server_2008
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9
msrcwindows_7
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit uses Microsoft.XMLDOM LoadXML() with res:// protocol URIs to probe for file existence; differentiate file-present vs. file-absent by comparing XMLDOM parseError.errorCode values (0x80004005 = file exists, 0x80070485 = file not found)
  • TippingPoint MainlineDV filter 27047 detects HTTP-level exploitation: Microsoft Internet Explorer parseError Information Disclosure Vulnerability
  • TippingPoint MainlineDV filter 27061 detects HTTP-level exploitation via ActiveX parseError.errorCode invocation
  • Trend Micro Deep Discovery Inspector DDI Rule 2358 detects CVE-2017-0022 (closely related successor to CVE-2016-3298) exploitation in HTTP responses
  • Exploit was observed in the wild as part of the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit; detections should cover malvertising traffic chains leading to XMLDOM file-probing payloads
  • ·The exploit targets specific Windows resource types via the res:// protocol; the vulnerable resource types are RT_ICON (3), RT_MESSAGETABLE (11), RT_VERSION (16), and RT_MANIFEST (24)

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.