cbcvebase.
CVE-2016-3351
published 2016-09-14

CVE-2016-3351: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft…

PriorityP181medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
26.29%
97.7th percentile
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10
msrcinternet_explorer_11
msrcinternet_explorer_9
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

commandres://sFile[/sType]/sID
  • Exploit uses Microsoft.XMLDOM LoadXML() with res:// protocol URIs to probe for existence of local files; differentiate file-present vs. file-absent by observing errorCode 0x80004005 (file exists, invalid DTD) vs. errorCode 0x80070485 (file not found)
  • CVE-2016-3351 was exploited in the wild as part of the AdGholas malvertising campaign; network defenders should look for malvertising traffic patterns associated with AdGholas and the Neutrino exploit kit delivering res:// protocol probes via IE/Edge
  • Exploit probes for security software and packet capture tools by enumerating local files via res:// protocol; monitor for XMLDOM LoadXML calls containing res:// URIs referencing executable paths in HTTP traffic
  • TippingPoint filter 27047 detects HTTP-level parseError information disclosure from Internet Explorer; apply filter to HTTP responses for IE/Edge clients
  • TippingPoint filter 27061 detects ActiveX parseError.errorCode invocation over HTTP; apply to HTTP traffic involving IE ActiveX objects
  • ·The res:// protocol file-existence oracle relies on distinguishing two specific XMLDOM error codes; after patching, IsCrossDomainDownload is always set to true, making both cases return 0x80004005 and neutralising the oracle — detection logic based on error-code differentiation is only relevant against unpatched systems
  • ·The exploit targets RT_ICON (3), RT_MESSAGETABLE (11), RT_VERSION (16), and RT_MANIFEST (24) resource types via the res:// protocol; detection rules should account for all four resource type identifiers

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.