Scripting Engine Memory Corruption Vulnerability

2016-06-14T07:00:00

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

{"id": "MS:CVE-2016-3222", "bulletinFamily": "microsoft", "title": "Scripting Engine Memory Corruption Vulnerability", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "published": "2016-06-14T07:00:00", "modified": "2016-06-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-3222", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2016-3222"], "immutableFields": [], "type": "mscve", "lastseen": "2021-12-06T18:25:26", "edition": 1, "viewCount": 3, "enchantments": {"backreferences": {"references": [{"idList": ["CISA:574A6E25827684C587359C37EF1D5132"], "type": "cisa"}, {"idList": ["KB3163656"], "type": "mskb"}, {"idList": ["CPAI-2016-0435"], "type": "checkpoint_advisories"}, {"idList": ["CVE-2016-3222"], "type": "cve"}, {"idList": ["1337DAY-ID-26483"], "type": "zdt"}, {"idList": ["SMNTC-91094"], "type": "symantec"}, {"idList": ["THREATPOST:2C2827FBF9D900F4194802CE8C471B4C"], "type": "threatpost"}, {"idList": ["ZDI-16-371"], "type": "zdi"}, {"idList": ["SMB_NT_MS16-068.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310808225"], "type": "openvas"}]}, "dependencies": {"references": [{"idList": ["KB3163656"], "type": "mskb"}, {"idList": ["CPAI-2016-0435"], "type": "checkpoint_advisories"}, {"idList": ["CVE-2016-3222"], "type": "cve"}, {"idList": ["KLA10829"], "type": "kaspersky"}, {"idList": ["1337DAY-ID-26483"], "type": "zdt"}, {"idList": ["SMNTC-91094"], "type": "symantec"}, {"idList": ["ZDI-16-371"], "type": "zdi"}, {"idList": ["SMB_NT_MS16-068.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310808225"], "type": "openvas"}], "rev": 4}, "exploitation": null, "score": {"value": 1.6, "vector": "NONE"}, "vulnersScore": 1.6}, "kbList": ["KB3163018", "KB3156421"], "msrc": "", "mscve": "CVE-2016-3222", "msAffectedSoftware": [{"kb": "KB3163018", "kbSupersedence": "KB3156421", "msplatform": "Windows 10 Version 1511 for x64-based Systems", "name": "microsoft edge (edgehtml-based)", "operator": "", "version": ""}, {"kb": "KB3163018", "kbSupersedence": "KB3156421", "msplatform": "Windows 10 Version 1511 for 32-bit Systems", "name": "microsoft edge (edgehtml-based)", "operator": "", "version": ""}], "vendorCvss": {"baseScore": "", "temporalScore": "", "vectorString": ""}, "_state": {"dependencies": 1647589307, "score": 1659749172}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:41:49", "description": "A memory corruption vulnerability has been reported in Microsoft Edge. The vulnerability is due to improper handling of objects in memory. A remote attacker could exploit the vulnerability by enticing the target user to open a specially crafted web page. Successful exploitation could lead to arbitrary code execution in the security context of the target user.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Edge Memory Corruption (MS16-068: CVE-2016-3222)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3222"], "modified": "2016-09-06T00:00:00", "id": "CPAI-2016-0435", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:04:59", "description": "### Description\n\nMicrosoft Edge is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can take advantage of this vulnerability to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Edge \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2016-06-14T00:00:00", "type": "symantec", "title": "Microsoft Edge CVE-2016-3222 Scripting Engine Remote Memory Corruption Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-3222"], "modified": "2016-06-14T00:00:00", "id": "SMNTC-91094", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/91094", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T13:19:24", "description": "Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Microsoft Edge Memory Corruption Vulnerability.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-16T01:59:00", "type": "cve", "title": "CVE-2016-3222", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3222"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/a:microsoft:edge:-"], "id": "CVE-2016-3222", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3222", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-02-06T05:12:25", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2016-12-06T00:00:00", "type": "zdt", "title": "Microsoft Edge - CBase\u00adScriptable::Private\u00adQuery\u00adInterface Memory Corruption (MS16-068) Vulnerabilit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-3222"], "modified": "2016-12-06T00:00:00", "id": "1337DAY-ID-26483", "href": "https://0day.today/exploit/description/26483", "sourceData": "Source: http://blog.skylined.nl/20161205001.html\r\n \r\nSynopsis\r\n \r\nA specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.\r\n \r\nKnown affected software and attack vectors\r\n \r\nMicrosoft Edge\r\n \r\nAn attacker would need to get a target user to open a specially crafted web-page. Disabling Java\u00adScript does not prevent an attacker from triggering the vulnerable code path.\r\n \r\nDiscovery\r\n \r\nThis issue was found through fuzzing in the 64-bit version of Microsoft Edge, in which the original repro triggered what appeared to be a NULL pointer dereference in CBase\u00adScriptable::Private\u00adQuery\u00adInterface. So, after a very brief look at the repro, I filed a bug in the public bug tracker and published it on twitter. The original repro was:\r\n \r\n<body onload=typeof(open().crypto)>\r\n \r\nSoon after, I found another repro that trigger a slightly different NULL pointer dereference in CBase\u00adScriptable::Private\u00adQuery\u00adInterface in a 64-bit version of Edge. The second repro was:\r\n \r\n<body onload=typeof(open().ms\u00adCredentials)>\r\n \r\nI never tested the these two repros in a 32-bit version of Edge before publishing them, which I immediately regretted after finding that the second repro triggered an access violation using the obviously non-NULL address 0x1BF37D8 in a 32-bit version of Edge!\r\n \r\nAround this time, I started finding many variations of this bug: getting the type of various properties or objects associated with another window was triggering all kinds of access violations. Many of these were not using NULL pointers on 32-bit Edge. I collected all the variations my fuzzers had found and come up with these additional repros:\r\n \r\n<body onload=typeof(open().document.create\u00adElement(\"canvas\").get\u00adContext(\"2d\"))>\r\n \r\nThis triggered an access violation in edgehtml.dll!CBase\u00adScriptable::Private\u00adQuery\u00adInterface while attempting to read from address 0x4C261 in the 32-bit version of Edge.\r\n \r\n<body onload=typeof(open().navigator.media\u00adDevices)>\r\n \r\nThis triggered an access violation in charkra.dll!Thread\u00adContext::Pre\u00adSweep\u00adCallback while attempting to read from address 0x\u00adFF80A90F in the 32-bit version of Edge.\r\n \r\n<body onload=typeof(open().to\u00adString)>\r\n \r\nThis triggered an assertion failure because it was calling a deprecated API in the 32-bit version of Edge.\r\n \r\nI looked again at the original crypto repro and noticed that although it triggered an access violation using a NULL pointer on both 32-bit and 64-bit versions of Edge, the two addresses (3 and 8 respectively) had different alignment. This is rather odd: true NULL pointer dereferences can cause an access violation at a different offset from NULL on these two architectures because property values and pointers stored before the one being read/written can have different sizes on 32-bit and 64-bit systems, but one usually expects them to have similar alignment: the last two bits of the address should be the same.\r\n \r\nReport\r\n \r\nIf only I had tested the original repro in a 32-bit version of Edge when I first analyzed the issue, I might have realized it was more than a simple NULL pointer and not published it before doing additional research.\r\n \r\nI contacted ZDI and asked if they would be interested in buying the vulnerability at this point, given that I publicly released the repro that triggered a NULL pointer and filed it with Microsoft. I was hoping they would decide that this did not disclose the underlying vulnerability and that it as such would still be a 0-day. Unfortunately for me, they were not interested in acquiring details in this situation.\r\n \r\nAt that point I decided to contact the Microsoft Security Response Center and report the additional information I had found. I also contacted a few people working on the Edge team at Microsoft directly to let them know they might want to escalate this bug from a simple NULL pointer to a security vulnerability. Unfortunately, this let them to decided to mark the bug I had filed in the Edge bug tracker as hidden. I warned them that this did little good, as the details were still public in my twitter and even if I deleted that, in general what goes on the internet stays on the internet.\r\n \r\nAnalysis\r\n \r\nSince I had publicly released the repro, I was not going to be seeing any kind of reward for this bug, so analyzing the issue was not a priority for me. Unfortunately that meant I did not analyze it at all, other than to speculate that this bug was likely to have been a type-confusion or bad cast, where assembled code was used as data, leading to most of these repros triggering an access violation at a static address that depended on the code they were using as data. It may therefore be possible to find a variation that uses code that represents an address in the address space of Edge where an attacker might store data under his/her control. This is especially true for 32-bit Edge, as the address space is a lot smaller. Depending on what the code does with the address, it might be possible to execute arbitrary code under perfect circumstances.\r\n \r\nOn Hiding bugs in public bug trackers\r\n \r\nHiding a publicly reported bug after the fact is a very bad idea IMHO, as it paints an easy to detect target on the bug. Every smart attacker should have a system that makes regular copies of all publicly reported bugs in target applications and reports to their owner all bugs that become hidden, with a copy of all the information it scraped from the bug before it was hidden. Since hiding a public bug only ever happens for one of two reasons: the bug was found to be a security issue, or the report accidentally contains personal information that the owner wants hidden. It should be quite easy to distinguish between the two to filter out the vulnerabilities, giving an attacker a nearly free stream of nearly 0-day bugs. If you work on a team that has a public bug-tracker, you may want to discuss this with your team and decided how to handle such situations.\r\n \r\nConclusion\r\n \r\nAs useful as Bug\u00adId is in automating a lot of the analysis I do on every bug I find, and in helping me prioritize the issues that are most likely to be vulnerabilities, it is not perfect and cannot always detect a vulnerability for what it is. Bug\u00adId is not a perfect replacement for full manual analysis of bugs.\r\n \r\nIn this case I relied to heavily on its ability to distinguish vulnerabilities from other bugs. Because of the nature of this issue, the repros caused access violations at static addresses, many of which near enough to NULL to be interpreted as NULL pointer dereferences, especially for the first repro I found. Bug\u00adId can not actually determine the root cause of a crash, but attempts to deduce the root cause based on the details of the crash it causes. In this case, the crash looked too similar to a regular NULL pointer dereference for Bug\u00adId to detect it as anything else.\r\n \r\nHowever, in my current situation, where I am finding way more bugs than I can analyze manually, Bug\u00adId does a very good job at helping me prioritize and analyze issues. I have used Bug\u00adId on hundreds of bugs and, as far as I know, this is the first time I mistook a security vulnerability for a regular bug based on the Bug\u00adId report. As such, the false-negative rate I have experienced is a fraction of a percent, which IMHO is remarkably low and entirely acceptable. At the same time, the false-positive rate I have seen so far is exactly zero.\r\n \r\nIn order to prevent this from happening in the future, I now test each repro in both the 32-bit and 64-bit version of Edge, do more manual analysis on bugs that get reported as a NULL pointer with a non-DWORD-aligned address (e.g. 3 in this case), and wait slightly longer for my fuzzers to find variations of a bug before I start my analysis and report the issue as a non-security bug.\r\n \r\nTime-line\r\n29 April 2016: This vulnerability was first found through fuzzing.\r\n10 May 2016: This issue was published on Twitter and reported to Microsoft.\r\n13 May 2016: This vulnerability was submitted to ZDI.\r\n18 May 2016: This vulnerability was declined by ZDI.\r\n18 May 2016: This vulnerability was reported to MSRC and I informed Edge developers directly on the seriousness of the bug.\r\n18 May 2016: The issue was hidden in public bug tracker.\r\n14 June 2016: Microsoft addresses this vulnerability in MS16-068.\r\nDecember 2016: Details of this vulnerability are released.\n\n# 0day.today [2018-02-06] #", "sourceHref": "https://0day.today/exploit/26483", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2022-01-31T21:20:52", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of CBaseScriptable::PrivateQueryInterface. By performing certain operations in script, an attacker can cause Microsoft Edge to read uninitialized data from a memory location on the stack. An attacker can leverage this to execute code under the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-22T00:00:00", "type": "zdi", "title": "Microsoft Edge CBaseScriptable PrivateQueryInterface Uninitialized Memory Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3222"], "modified": "2016-06-22T00:00:00", "id": "ZDI-16-371", "href": "https://www.zerodayinitiative.com/advisories/ZDI-16-371/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T16:39:06", "description": "The version of Microsoft Edge installed on the remote Windows host is missing Cumulative Security Update 3163656. It is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists due to a failure to properly validate specially crafted documents. An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to load a page or visit a website containing malicious content, allowing the attacker to bypass the Edge Content Security Policy (CSP). (CVE-2016-3198)\n\n - Multiple remote code execution vulnerabilities exist in the Chakra JavaScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website or open a specially crafted Microsoft Office document that hosts the Edge rendering engine, resulting in the execution of arbitrary code in the context of the current user.\n (CVE-2016-3199, CVE-2016-3202, CVE-2016-3214, CVE-2016-3222)\n\n - Multiple information disclosure vulnerabilities exist due to improper parsing of .pdf files. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted .pdf file, resulting in the disclosure of sensitive information in the context of the current user. (CVE-2016-3201, CVE-2016-3215)\n\n - A remote code execution vulnerability exists due to improper parsing of .pdf files. An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to open a specially crafted .pdf file, resulting in the execution of arbitrary code in the context of the current user. (CVE-2016-3203)\n\nNote that CVE-2016-3214, CVE-2016-3215, and CVE-2016-3222 only affect Windows 10 version 1511.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-06-14T00:00:00", "type": "nessus", "title": "MS16-068: Cumulative Security Update for Microsoft Edge (3163656)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3198", "CVE-2016-3199", "CVE-2016-3201", "CVE-2016-3202", "CVE-2016-3203", "CVE-2016-3214", "CVE-2016-3215", "CVE-2016-3222"], "modified": "2019-11-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS16-068.NASL", "href": "https://www.tenable.com/plugins/nessus/91597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91597);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/19\");\n\n script_cve_id(\n \"CVE-2016-3198\",\n \"CVE-2016-3199\",\n \"CVE-2016-3201\",\n \"CVE-2016-3202\",\n \"CVE-2016-3203\",\n \"CVE-2016-3214\",\n \"CVE-2016-3215\",\n \"CVE-2016-3222\"\n );\n script_bugtraq_id(\n 91086,\n 91087,\n 91090,\n 91092,\n 91093,\n 91094,\n 91112\n );\n script_xref(name:\"MSFT\", value:\"MS16-068\");\n script_xref(name:\"MSKB\", value:\"3163017\");\n script_xref(name:\"MSKB\", value:\"3163018\");\n\n script_name(english:\"MS16-068: Cumulative Security Update for Microsoft Edge (3163656)\");\n script_summary(english:\"Checks the file version of edgehtml.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser installed that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is\nmissing Cumulative Security Update 3163656. It is, therefore, affected\nby multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists due to a\n failure to properly validate specially crafted\n documents. An unauthenticated, remote attacker can\n exploit this vulnerability by convincing a user to load\n a page or visit a website containing malicious content,\n allowing the attacker to bypass the Edge Content\n Security Policy (CSP). (CVE-2016-3198)\n\n - Multiple remote code execution vulnerabilities exist in\n the Chakra JavaScript engine due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit these vulnerabilities by convincing a user\n to visit a specially crafted website or open a specially\n crafted Microsoft Office document that hosts the Edge\n rendering engine, resulting in the execution of\n arbitrary code in the context of the current user.\n (CVE-2016-3199, CVE-2016-3202, CVE-2016-3214,\n CVE-2016-3222)\n\n - Multiple information disclosure vulnerabilities exist\n due to improper parsing of .pdf files. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities by convincing a user to open a specially\n crafted .pdf file, resulting in the disclosure of\n sensitive information in the context of the current\n user. (CVE-2016-3201, CVE-2016-3215)\n\n - A remote code execution vulnerability exists due to\n improper parsing of .pdf files. An unauthenticated,\n remote attacker can exploit this vulnerability by\n convincing a user to open a specially crafted .pdf file,\n resulting in the execution of arbitrary code in the\n context of the current user. (CVE-2016-3203)\n\nNote that CVE-2016-3214, CVE-2016-3215, and CVE-2016-3222 only affect\nWindows 10 version 1511.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-068\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3222\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS16-068';\nkbs = make_list('3163018', '3163017');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\n# Server core is not affected\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n# Windows 10\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"edgehtml.dll\", version:\"11.0.10586.420\", min_version:\"11.0.10586.0\", dir:\"\\system32\", bulletin:bulletin, kb:\"3163018\") ||\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"edgehtml.dll\", version:\"11.0.10240.16942\", dir:\"\\system32\", bulletin:bulletin, kb:\"3163017\")\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:51:02", "description": "<html><body><p>Resolves a vulnerability in Microsoft Edge that could allow remote code execution if a user views a specially crafted webpage in Microsoft Edge.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves multiple vulnerabilities in Microsoft Edge. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Microsoft Edge. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-068\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-068</a>. <span></span></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Windows Update</h3>This update is available through Windows Update and Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the \"Turn on automatic updating in Control Panel\" section of <a href=\"https://technet.microsoft.com/library/security/ms16-068\" id=\"kb-link-3\" target=\"_self\">Microsoft Security Bulletin MS16-068</a>.</div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">More information about this security update</h3>The following articles contain more information about this security update:<ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/3163017\" id=\"kb-link-4\">3163017 </a> Cumulative update for Windows 10: June 14, 2016 </li><li><a href=\"https://support.microsoft.com/en-us/help/3163018\" id=\"kb-link-5\">3163018 </a> Cumulative update for Windows 10, Windows 10 version 1511, and Windows Server 2016: June 14, 2016</li></ul><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference Table</h5>The following table contains the security update information for this software. <div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3163017-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB</span><span class=\"text-base\">3163017</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3163018-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB</span><span class=\"text-base\">3163018</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-6\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3163017\" id=\"kb-link-7\" target=\"_self\">Microsoft Knowledge Base Article 3163017</a><br/>See <a href=\"https://support.microsoft.com/help/3163018\" id=\"kb-link-8\" target=\"_self\">Microsoft Knowledge Base Article 3163018</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to get help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-9\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-10\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-11\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-12\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-14T00:00:00", "type": "mskb", "title": "MS16-068: Cumulative security update for Microsoft Edge: June 14, 2016", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3222", "CVE-2016-3199", "CVE-2016-3215", "CVE-2016-3202", "CVE-2016-3203", "CVE-2016-3214", "CVE-2016-3198", "CVE-2016-3201"], "modified": "2016-06-14T17:04:18", "id": "KB3163656", "href": "https://support.microsoft.com/en-us/help/3163656/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-08T13:58:14", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-068.", "cvss3": {}, "published": "2016-06-15T00:00:00", "type": "openvas", "title": "Microsoft Edge Multiple Vulnerabilities (3163656)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3222", "CVE-2016-3199", "CVE-2016-3215", "CVE-2016-3202", "CVE-2016-3203", "CVE-2016-3214", "CVE-2016-3198", "CVE-2016-3201"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310808225", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808225", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Edge Multiple Vulnerabilities (3163656)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808225\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3198\", \"CVE-2016-3199\", \"CVE-2016-3201\", \"CVE-2016-3202\",\n \"CVE-2016-3203\", \"CVE-2016-3214\", \"CVE-2016-3215\", \"CVE-2016-3222\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-06-15 08:30:23 +0530 (Wed, 15 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Edge Multiple Vulnerabilities (3163656)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-068.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - when the Edge Content Security Policy (CSP) fails to properly validate\n certain specially crafted documents.\n\n - when improperly handle objects in memory in Microsoft Edge.\n\n - when a user opens a specially crafted .pdf file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to trick a user into loading a page containing malicious content,\n to trick the user into opening the .pdf file and read information in the context\n of the current user and to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3163018\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3163017\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-068\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_microsoft_edge_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Edge/Installed\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgedllVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgedllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:edgedllVer, test_version:\"11.0.10240.16942\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.16942\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:edgedllVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.419\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.419\";\n VULN = TRUE ;\n }\n}\n\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgedllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:20:57", "description": "### *Detect date*:\n06/14/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge. Malicious users can exploit these vulnerabilities to bypass security restrictions, perform privilege escalation, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Edge \nMicrosoft Internet Explorer versions 9 through 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3207>) \n[CVE-2016-3206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3206>) \n[CVE-2016-3205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3205>) \n[CVE-2016-3215](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3215>) \n[CVE-2016-3214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3214>) \n[CVE-2016-3213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3213>) \n[CVE-2016-3212](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3212>) \n[CVE-2016-3211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3211>) \n[CVE-2016-3210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3210>) \n[CVE-2016-3203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3203>) \n[CVE-2016-3202](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3202>) \n[CVE-2016-3201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3201>) \n[CVE-2016-3199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3199>) \n[CVE-2016-3198](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3198>) \n[CVE-2016-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0199>) \n[CVE-2016-0200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0200>) \n[CVE-2016-3222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3222>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2016-3207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3207>)7.6Critical \n[CVE-2016-3206](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3206>)7.6Critical \n[CVE-2016-3205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3205>)7.6Critical \n[CVE-2016-3215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3215>)4.3Warning \n[CVE-2016-3214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3214>)9.3Critical \n[CVE-2016-3213](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213>)9.3Critical \n[CVE-2016-3212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3212>)4.3Warning \n[CVE-2016-3211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3211>)9.3Critical \n[CVE-2016-3210](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3210>)9.3Critical \n[CVE-2016-3203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3203>)9.3Critical \n[CVE-2016-3202](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3202>)7.6Critical \n[CVE-2016-3201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3201>)4.3Warning \n[CVE-2016-3199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3199>)9.3Critical \n[CVE-2016-3198](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3198>)4.3Warning \n[CVE-2016-0199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0199>)9.3Critical \n[CVE-2016-0200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0200>)9.3Critical \n[CVE-2016-3222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3222>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3163017](<http://support.microsoft.com/kb/3163017>) \n[3163018](<http://support.microsoft.com/kb/3163018>) \n[3160005](<http://support.microsoft.com/kb/3160005>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-14T00:00:00", "type": "kaspersky", "title": "KLA10829 Multiple vulnerabilities in Microsoft Edge and Internet Explorer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0199", "CVE-2016-0200", "CVE-2016-3198", "CVE-2016-3199", "CVE-2016-3201", "CVE-2016-3202", "CVE-2016-3203", "CVE-2016-3205", "CVE-2016-3206", "CVE-2016-3207", "CVE-2016-3210", "CVE-2016-3211", "CVE-2016-3212", "CVE-2016-3213", "CVE-2016-3214", "CVE-2016-3215", "CVE-2016-3222"], "modified": "2020-06-18T00:00:00", "id": "KLA10829", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10829/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}