CVE-2016-0189
Published: 11 May 2016
Summary
CVE-2016-0189 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a memory corruption flaw, tracked as CVE-2016-0189 and assigned CWE-787, that affects the Microsoft JScript 5.8 and VBScript 5.7/5.8 scripting engines used in Internet Explorer 9 through 11 and other products. It arises from improper handling of crafted content that can trigger out-of-bounds writes, distinct from the related CVE-2016-0187 issue.
Remote attackers can exploit the flaw by serving a malicious web page to a victim, achieving arbitrary code execution or a denial-of-service condition when the scripting engine processes the content. Successful exploitation requires user interaction such as visiting the site, consistent with the CVSS vector AV:N/AC:H/PR:N/UI:R.
Microsoft addressed the issue in security bulletins MS16-051 and MS16-053, which include patches for the affected JScript and VBScript components in Internet Explorer. Public exploit code for the vulnerability has been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-0226
Vulnerability details
The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a…
more
crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches in MS16-051/MS16-053 that eliminate the out-of-bounds write in the JScript/VBScript engines.
Establishes usage restrictions and configuration requirements for mobile code (JavaScript/VBScript) that is the attack vector for this crafted-web-page exploit.
Implements memory-protection mechanisms that can block the unauthorized code execution resulting from the CWE-787 out-of-bounds write.