Cumulative Security Update for JScript and VBScript

Published: 2016-07-12

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2016-3204
CWE-ID	CWE-119
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system Microsoft Internet Explorer Client/Desktop applications / Web browsers
Vendor	Microsoft

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Memory corruption in JScript and VBScript

EUVDB-ID: #VU140

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-3204

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error in JScript and VBScript engines render when handling objects in memory in Internet Explorer. A remote attacker can trick a victim to visit malicious webpage and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability will allow an attacker to gain control over affected system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Windows: Vista

Windows Server: 2008

Microsoft Internet Explorer: 9 - 11

CPE2.3

External links

https://technet.microsoft.com/en-us/library/security/MS16-086
https://technet.microsoft.com/en-us/library/security/ms16-084.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.