CVE-2016-3324
published 2016-09-14CVE-2016-3324: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
28.33%
97.9th percentile
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10_on_windows_server_2012 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_service_pack_2 | — | — |
| msrc | internet_explorer_9_on_windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable CSS property names that trigger the OOB read code path in MSHTML!PROPERTYDESC::HandleStyleComponentProperty: textDecorationBlink, textDecorationLineThrough, textDecorationLineNone, textDecorationOverline, textDecorationUnderline ↗
- →The vulnerable function is MSHTML!PROPERTYDESC::HandleStyleComponentProperty — monitor for crashes or access violations originating from this symbol when processing CSS properties in Internet Explorer 9–11 ↗
- →Exploit uses Heap Feng-Shui via repeated setAttribute/removeAttribute calls followed by style.setProperty on a blink-class CSS property to trigger OOB read; look for JS patterns combining setAttribute loops with style.setProperty('textdecorationblink', ...) in the same script ↗
- →The exploit reads the CSS text-decoration computed value via getPropertyValue('text-decoration') to infer OOB memory content — JS that sets a blink-family CSS property then immediately reads back text-decoration is a behavioral indicator ↗
- ·Internet Explorer running in Enhanced Security Configuration (ESC) on Windows Server editions reduces exploitation likelihood, but does not fully mitigate the vulnerability ↗
- ·On x86 systems, page-heap padding at the end of the BSTR prevents an access violation, meaning the OOB read may succeed silently and not crash the process — AV-based detection alone is insufficient on x86 ↗
- ·EMET can help mitigate exploitation of this vulnerability in Internet Explorer when installed and configured to work with Internet Explorer ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Internet Explorer Memory Corruption Vulnerability
vendor_msrc·2016-09-13·CVSS 6.0
CVE-2016-3324 [HIGH] Internet Explorer Memory Corruption Vulnerability
Internet Explorer Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to vie
GHSA
GHSA-72r9-rj28-f4wj: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
ghsa_unreviewed·2022-05-14
CVE-2016-3324 [HIGH] GHSA-72r9-rj28-f4wj: Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a craf
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
No detection rules found.
http://www.securityfocus.com/bid/92809http://www.securitytracker.com/id/1036788https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-104https://www.exploit-db.com/exploits/40748/http://www.securityfocus.com/bid/92809http://www.securitytracker.com/id/1036788https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-104https://www.exploit-db.com/exploits/40748/
2016-09-14
Published