cbcvebase.
CVE-2016-3387
published 2016-10-14

CVE-2016-3387: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain…

PriorityP262high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
19.93%
97.1th percentile
Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3388.

Affected

19 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
msrcinternet_explorer_10_on_windows_server_2012
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

processmicrosoftedge.exe
otherIEUser_<USERSID>_MicrosoftEdge
otherD:(A;OICI;GA;;;WD)(A;OICI;GA;;;AC)(A;OICI;GA;;;WD)(A;OICI;GA;;;S-1-0-0)
otherS-1-15-2-1-1-1-1-1-1-1-1-1-1-1
otherS-1-16-0
  • Monitor for creation of Windows private namespaces matching the pattern 'IEUser_<SID>_MicrosoftEdge' by processes other than the legitimate Edge/IE browser processes, which may indicate namespace squatting prior to browser launch.
  • Detect use of NtCreateLowBoxToken (ntdll) from non-system processes, especially when combined with impersonation of another user's token, as this is a key step in the PoC exploit chain.
  • Alert on processes enumerating running processes via CreateToolhelp32Snapshot specifically searching for microsoftedge.exe, which may indicate an attacker waiting to plant a malicious namespace before Edge starts.
  • Flag creation of private namespaces with overly permissive DACLs granting GA (Generic All) to WD (Everyone), AC (All Application Packages), and the null SID (S-1-0-0), which is the SDDL used in the exploit PoC.
  • ·The exploit requires the attacker to plant the malicious namespace BEFORE Edge/IE is started; it does not work against already-running browser instances.
  • ·The vulnerability by itself does not allow arbitrary code execution; it must be chained with other vulnerabilities (e.g., RCE) to achieve full compromise.
  • ·The PoC targets Windows 10 10586 / Edge 25.10586.0.0 and was not tested on Windows 8.1 Update 2 or Windows 7; applicability to other platforms should be verified.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.