cbcvebase.
CVE-2016-7287
published 2016-12-20

CVE-2016-7287: The scripting engines in Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service…

PriorityP267high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
68.72%
99.3th percentile
The scripting engines in Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
msrcinternet_explorer_11_on_windows_10_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1511_for_x64-based_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_32-bit_systems
msrcinternet_explorer_11_on_windows_10_version_1607_for_x64-based_systems
msrcinternet_explorer_11_on_windows_8.1_for_32-bit_systems
msrcinternet_explorer_11_on_windows_8.1_for_x64-based_systems
msrcinternet_explorer_11_on_windows_rt_8.1
msrcinternet_explorer_11_on_windows_server_2012_r2
msrcinternet_explorer_11_on_windows_server_2016
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition involves overriding Object.defineProperty with a getter that returns a function using rest parameters, then constructing Intl.NumberFormat — look for scripts that redefine Object.defineProperty via defineProperty itself (self-referential property trap)
  • PoC abuses Intl.Collator property definition during Intl.NumberFormat initialization to trigger type confusion; monitor for scripts that reassign the global Intl object and simultaneously call Object.defineProperty on Intl internals
  • The getter in the exploit returns a bit-shifted magic constant (0x1234567 >> 1) as a type-confused value; this value may appear in memory dumps or crash analysis of CVE-2016-7287 exploitation attempts
  • Vulnerability class is Internationalization (Intl) initialization type confusion in Microsoft Edge scripting engine (MS16-144); alert on Edge/IE11 JScript engine crashes or memory corruption during Intl object construction
  • Web-based attack vector: attacker hosts a crafted page exploiting IE/Edge scripting engine; consider inspecting HTTP responses served to IE11/Edge user-agents containing simultaneous use of Object.defineProperty redefinition and Intl.NumberFormat construction
  • ActiveX-based delivery also possible: attacker embeds ActiveX control marked 'safe for initialization' in Office documents hosting IE rendering engine — monitor Office processes spawning IE rendering engine with scripting activity
  • ·Exploit publicly disclosed (PoC on Exploit-DB as exploit 40948) but Microsoft MSRC assessed exploitation status as 'Publicly Disclosed: No; Exploited: No' at time of patch — treat PoC as a detection reference, not confirmed in-the-wild activity
  • ·Affects both Microsoft Internet Explorer 11 and Microsoft Edge; detection logic must cover both browsers' scripting engine contexts

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.