CVE-2016-3298
published 2016-10-14CVE-2016-3298: Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow…
PriorityP180medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
32.79%
98.1th percentile
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | windows_server_2008 | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uses Microsoft.XMLDOM LoadXML() with res:// protocol URIs to probe for file existence; differentiate file-present vs. file-absent by comparing XMLDOM parseError.errorCode values (0x80004005 = file exists, 0x80070485 = file not found) ↗
- →TippingPoint MainlineDV filter 27047 detects HTTP-level exploitation: Microsoft Internet Explorer parseError Information Disclosure Vulnerability ↗
- →TippingPoint MainlineDV filter 27061 detects HTTP-level exploitation via ActiveX parseError.errorCode invocation ↗
- →Trend Micro Deep Discovery Inspector DDI Rule 2358 detects CVE-2017-0022 (closely related successor to CVE-2016-3298) exploitation in HTTP responses ↗
- →Exploit was observed in the wild as part of the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit; detections should cover malvertising traffic chains leading to XMLDOM file-probing payloads ↗
- ·The exploit targets specific Windows resource types via the res:// protocol; the vulnerable resource types are RT_ICON (3), RT_MESSAGETABLE (11), RT_VERSION (16), and RT_MANIFEST (24) ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
cisa·2022-05-24·CVSS 6.5
CVE-2016-3298 [MEDIUM] CWE-200 Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
Vulnerability: Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
Affected: Microsoft Internet Explorer
An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow the attacker to test for the presence of files on disk.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3298
Remediation Due Date: 2022-06-14
Microsoft
Internet Explorer Information Disclosure Vulnerability
vendor_msrc·2016-10-11·CVSS 6.5
CVE-2016-3298 [MEDIUM] Internet Explorer Information Disclosure Vulnerability
Internet Explorer Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.
An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.
The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.
FAQ: I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. Does this mitigate these vulnerabilities?
Yes. By default, Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs i
GHSA
GHSA-9vv9-w57h-m8qw: Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 al
ghsa_unreviewed·2022-05-14
CVE-2016-3298 [MEDIUM] CWE-200 GHSA-9vv9-w57h-m8qw: Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 al
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."
VulnCheck
Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
vulncheck·2016·CVSS 6.5
CVE-2016-3298 [MEDIUM] CWE-200 Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
Microsoft Internet Explorer Messaging API Information Disclosure Vulnerability
An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow the attacker to test for the presence of files on disk.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Oct; https://www.proofpoint.com/us/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information-disclosure-zero-day; https://web.archive.org/web/20220227045
VulnCheck
Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
vulncheck·2016·CVSS 6.5
CVE-2016-3351 [MEDIUM] CWE-200 Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer.
Affected: Microsoft Internet Explorer and Edge
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Sep; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-GooNky-Malvertising; https://www.proofpoint.com/us/threat-insight/post/microsoft-pa
No detection rules found.
No public exploits indexed.
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
# CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro
2017/03/24
Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same cam
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro 2017/03/24 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same c
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Ausnutzung von Schwachstellen
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the s
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Sfruttamento vulnerabilità
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits y vulnerabilidades
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the sam
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edg
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
## Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this mont
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-10-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 11-10-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/93392http://www.securitytracker.com/id/1036992https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-126http://www.securityfocus.com/bid/93392http://www.securitytracker.com/id/1036992https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-126https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3298
2016-10-14
Published
2022-05-24
Added to CISA KEV
Exploited in the wild