CVE-2016-0162
Published: 12 April 2016
Summary
CVE-2016-0162 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
Microsoft Internet Explorer versions 9 through 11 are affected by an information disclosure vulnerability that permits remote attackers to determine the existence of files on a target system through the use of specially crafted JavaScript code. The issue is tracked as CVE-2016-0162 with a CVSS v3 base score of 4.3 and is described by Microsoft as the "Internet Explorer Information Disclosure Vulnerability."
An unauthenticated remote attacker can exploit the flaw when a user visits a malicious or compromised website containing the crafted script. Successful exploitation reveals limited information about file presence without requiring user interaction beyond normal browsing, though it does not allow direct code execution or modification of data.
Microsoft security bulletin MS16-037 addresses the vulnerability and supplies the corresponding security updates for affected versions of Internet Explorer. The bulletin outlines patch installation as the primary mitigation step along with standard guidance on applying updates promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-0200
Vulnerability details
Microsoft Internet Explorer 9 through 11 allows remote attackers to determine the existence of files via crafted JavaScript code, aka "Internet Explorer Information Disclosure Vulnerability."
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor security update that eliminates the IE information-disclosure flaw.
Restricts or authorizes mobile code (JavaScript) that the attacker uses to probe for file existence.
Monitors for anomalous information disclosure that would result from successful exploitation of the crafted script.