#VU1148 Memory Corruption in Microsoft Edge and Microsoft Internet Explorer - CVE-2016-7241
Vulnerability identifier: #VU1148
Vulnerability risk: High
CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Microsoft Edge
Client/Desktop applications /
Web browsers
Microsoft Internet Explorer
Client/Desktop applications /
Web browsers
Vendor: Microsoft
Description
A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of objects in memory. A remote attacker can create a specially crafted web page, trick the victim to open it in browser and cause memory corruption.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.
Mitigation
Windows 10 for 32-bit Systems:
https://support.microsoft.com/kb/3198585
Windows 10 for x64-based Systems:
https://support.microsoft.com/kb/3198585
Windows 10 Version 1511 for 32-bit Systems:
https://support.microsoft.com/kb/3198586
Windows 10 Version 1511 for x64-based Systems:
https://support.microsoft.com/kb/3198586
Windows 10 Version 1607 for 32-bit Systems:
https://support.microsoft.com/kb/3200970
Windows 10 Version 1607 for x64-based Systems:
https://support.microsoft.com/kb/3200970
Windows Server 2016 for x64-based Systems:
https://support.microsoft.com/kb/3200970
Vulnerable software versions
Microsoft Edge: All versions
Microsoft Internet Explorer: 11
External links
https://technet.microsoft.com/library/security/MS16-129
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
