CVE-2016-3321

Vulnerability

Microsoft Internet Explorer 10 and 11 exhibit different behavior when loading file:// URLs depending on whether the target file exists. For an existing file, Internet Explorer displays an error dialog; for a non-existent file, it attempts to open res://ieframe.dll/dnserrordiagoff.htm, which may be blocked by the pop-up blocker [2][3]. This differential behavior can be leveraged through an HTML5 sandbox iframe, which suppresses the dialog but still allows the attacker to observe the outcome (e.g., whether a pop-up is blocked). The vulnerability affects Internet Explorer 10 and 11; older versions do not support the HTML5 sandbox [2][3].

Exploitation

An attacker must have local access to the target system or be able to serve content from a network share (with Internet zone Mark of the Web) [2][3]. The attacker creates a webpage containing an HTML5 sandbox iframe that points to a file:// URL. Because the sandbox suppresses the error dialog, the attacker can detect whether the file exists by monitoring for pop-up blocker activity or other observable side effects [2][3]. No user interaction beyond opening the page is required, but the attack cannot be performed from a remote website because file:// URLs are blocked in the Internet zone [2][3].

Impact

Successful exploitation allows a local attacker to enumerate the existence of files on the system, such as determining whether a specific executable or document is present [1][2]. This is an information disclosure vulnerability with no direct impact on confidentiality (beyond file existence), integrity, or availability. The CVSS v3 score is 2.5 (Low) [1].

Mitigation

Microsoft addressed this vulnerability in Security Bulletin MS16-095 (Cumulative Security Update for Internet Explorer 3177356), released on August 9, 2016 [1][2][3]. Users should apply the update to Internet Explorer 10 and 11. No workarounds are documented; the fix modifies how Internet Explorer handles file:// URLs in sandboxed iframes [1].