CVE-2016-3387
published 2016-10-14CVE-2016-3387: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain…
PriorityP262high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
19.93%
97.1th percentile
Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3388.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10_on_windows_server_2012 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | microsoft_edge_on_windows_10_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_x64-based_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of Windows private namespaces matching the pattern 'IEUser_<SID>_MicrosoftEdge' by processes other than the legitimate Edge/IE browser processes, which may indicate namespace squatting prior to browser launch. ↗
- →Detect use of NtCreateLowBoxToken (ntdll) from non-system processes, especially when combined with impersonation of another user's token, as this is a key step in the PoC exploit chain. ↗
- →Alert on processes enumerating running processes via CreateToolhelp32Snapshot specifically searching for microsoftedge.exe, which may indicate an attacker waiting to plant a malicious namespace before Edge starts. ↗
- →Flag creation of private namespaces with overly permissive DACLs granting GA (Generic All) to WD (Everyone), AC (All Application Packages), and the null SID (S-1-0-0), which is the SDDL used in the exploit PoC. ↗
- ·The exploit requires the attacker to plant the malicious namespace BEFORE Edge/IE is started; it does not work against already-running browser instances. ↗
- ·The vulnerability by itself does not allow arbitrary code execution; it must be chained with other vulnerabilities (e.g., RCE) to achieve full compromise. ↗
- ·The PoC targets Windows 10 10586 / Edge 25.10586.0.0 and was not tested on Windows 8.1 Update 2 or Windows 7; applicability to other platforms should be verified. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Browser Elevation of Privilege Vulnerability
vendor_msrc·2016-10-11·CVSS 7.5
CVE-2016-3387 [HIGH] Microsoft Browser Elevation of Privilege Vulnerability
Microsoft Browser Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when affected Microsoft browsers fail to properly secure private namespace. An attacker who successfully exploited this vulnerability could gain elevated permissions on the namespace directory of a vulnerable system and gain elevated privileges.
The vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more other vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.
The update addresses the vulnerability by correcting how Microsoft browsers handle namespace boundaries.
Microsoft Browsers:
GHSA
GHSA-c7mr-44hx-9566: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-3388 [HIGH] GHSA-c7mr-44hx-9566: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain
Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3387.
GHSA
GHSA-65wq-h5m6-882f: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain
ghsa_unreviewed·2022-05-14·CVSS 5.3
CVE-2016-3387 [MEDIUM] GHSA-65wq-h5m6-882f: Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain
Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3388.
No detection rules found.
http://www.securityfocus.com/bid/93381http://www.securitytracker.com/id/1036992http://www.securitytracker.com/id/1036993https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119https://www.exploit-db.com/exploits/40607/http://www.securityfocus.com/bid/93381http://www.securitytracker.com/id/1036992http://www.securitytracker.com/id/1036993https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119https://www.exploit-db.com/exploits/40607/
2016-10-14
Published