CVE-2016-3351
published 2016-09-14CVE-2016-3351: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft…
PriorityP181medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
26.29%
97.7th percentile
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uses Microsoft.XMLDOM LoadXML() with res:// protocol URIs to probe for existence of local files; differentiate file-present vs. file-absent by observing errorCode 0x80004005 (file exists, invalid DTD) vs. errorCode 0x80070485 (file not found) ↗
- →CVE-2016-3351 was exploited in the wild as part of the AdGholas malvertising campaign; network defenders should look for malvertising traffic patterns associated with AdGholas and the Neutrino exploit kit delivering res:// protocol probes via IE/Edge ↗
- →Exploit probes for security software and packet capture tools by enumerating local files via res:// protocol; monitor for XMLDOM LoadXML calls containing res:// URIs referencing executable paths in HTTP traffic ↗
- →TippingPoint filter 27047 detects HTTP-level parseError information disclosure from Internet Explorer; apply filter to HTTP responses for IE/Edge clients ↗
- →TippingPoint filter 27061 detects ActiveX parseError.errorCode invocation over HTTP; apply to HTTP traffic involving IE ActiveX objects ↗
- ·The res:// protocol file-existence oracle relies on distinguishing two specific XMLDOM error codes; after patching, IsCrossDomainDownload is always set to true, making both cases return 0x80004005 and neutralising the oracle — detection logic based on error-code differentiation is only relevant against unpatched systems ↗
- ·The exploit targets RT_ICON (3), RT_MESSAGETABLE (11), RT_VERSION (16), and RT_MANIFEST (24) resource types via the res:// protocol; detection rules should account for all four resource type identifiers ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p53p-2wmf-238v: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Micros
ghsa_unreviewed·2022-05-14
CVE-2016-3351 [LOW] CWE-200 GHSA-p53p-2wmf-238v: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Micros
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
VulnCheck
Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
vulncheck·2016·CVSS 6.5
CVE-2016-3351 [MEDIUM] CWE-200 Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer.
Affected: Microsoft Internet Explorer and Edge
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Sep; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-GooNky-Malvertising; https://www.proofpoint.com/us/threat-insight/post/microsoft-pa
CISA
Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
cisa·2022-05-24·CVSS 6.5
CVE-2016-3351 [MEDIUM] CWE-200 Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
Vulnerability: Microsoft Internet Explorer and Edge Information Disclosure Vulnerability
Affected: Microsoft Internet Explorer and Edge
An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3351
Remediation Due Date: 2022-06-14
Microsoft
Microsoft Browser Information Disclosure Vulnerability
vendor_msrc·2016-09-13·CVSS 6.5
CVE-2016-3351 [MEDIUM] Microsoft Browser Information Disclosure Vulnerability
Microsoft Browser Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.
In addition, compromised websites and websites that accept or host user-generated content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user in
No detection rules found.
No public exploits indexed.
Qualys
In-Depth Look Into Data-Driven Science Behind Qualys TruRisk
blogs_qualys·2022-10-10
In-Depth Look Into Data-Driven Science Behind Qualys TruRisk
## Table of Contents
Key Takeaways
Vulnerabilities Are on the Rise
Vulnerability Threat Landscape
Challenges With CVSS Based Prioritization
Exploit Prediction Scoring System
Qualys Severity Levels
Qualys TruRisk, a Data-Driven Way To Prioritize Risks
CVSS Base Score
CISA Known Exploited Vulnerability (KEV)
Real-Time Threat Indicators (RTIs)
Exploit Code Maturity
Malware
Threat Actors / Ransomware Groups
Trending Risk
Applied Mitigation Controls
EPSS Score (from First.org)
How Does Qualys TruRisk Compare Against CVSS and EPSS?
Qualys Vulnerability Score (QVS) vs CVSS
Qualys TruRisk vs EPSS
Qualys TruRisk (QVS) vs CISA KEV
How to Interpret Qualys TruRisk Scores
Asset Risk Score (ARS)
Asset Risk Score Formula
Conclusion
Additional Contributors
Vulnerability Managemen
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
# CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro
2017/03/24
Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same cam
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits & Vulnerabilities
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro 2017/03/24 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same c
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Ausnutzung von Schwachstellen
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the s
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Sfruttamento vulnerabilità
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same
Trendmicro
CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
blogs_trendmicro·2017-03-24·CVSS 6.5
CVE-2017-0022 [MEDIUM] CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Exploits y vulnerabilidades
## CVE-2017-0022 Exploited by AdGholas, Neutrino Patched
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we reported to Microsoft in September 2016. This was used in the AdGholas campaign and later integrated into the Neutrino EK
By: Trend Micro Mar 24, 2017 Read time: ( words)
Save to Folio
Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability ( CVE-2017-0022 ), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the sam
Zscaler
Zscaler found Multiple Security Vulnerabilities | 09-13-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 09-13-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/92788http://www.securitytracker.com/id/1036788http://www.securitytracker.com/id/1036789https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-104https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-105https://www.brokenbrowser.com/detecting-apps-mimetype-malware/http://www.securityfocus.com/bid/92788http://www.securitytracker.com/id/1036788http://www.securitytracker.com/id/1036789https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-104https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-105https://www.brokenbrowser.com/detecting-apps-mimetype-malware/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3351
2016-09-14
Published
2022-05-24
Added to CISA KEV
Exploited in the wild