CVE-2016-3351
Published: 14 September 2016
Summary
CVE-2016-3351 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Microsoft Internet Explorer 9 through 11 and Microsoft Edge are affected by an information disclosure vulnerability tracked as CVE-2016-3351. The flaw permits remote attackers to obtain sensitive information from a victim by serving a specially crafted web site, as described in the NVD entry with a CVSS 3.1 base score of 6.5 reflecting network attack vector, low complexity, no required privileges, and required user interaction.
An unauthenticated remote attacker can exploit the issue by convincing a user to visit a malicious web page under the attacker's control. Successful exploitation results in disclosure of sensitive browser or system information while leaving integrity and availability unaffected.
Microsoft addressed the vulnerability through security bulletins MS16-104 and MS16-105, which are referenced in the available advisories along with related tracking entries on SecurityFocus and SecurityTracker. No further details on exploitation in the wild or additional mitigations are provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4382
Vulnerability details
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches (MS16-104/105) that eliminate the browser information disclosure flaw.
Enforces malicious-code protections such as URL filtering and script blocking that stop a user from reaching the crafted site used to trigger CVE-2016-3351.
Explicitly requires monitoring for information disclosure events that would result from successful exploitation of the browser flaw.