CVE-2016-3331

Vulnerability

CVE-2016-3331 is a memory corruption vulnerability affecting Microsoft Internet Explorer 11 and Microsoft Edge. The flaw resides in how the browsers handle objects in memory, and can be triggered when a user visits a specially crafted website. The vulnerability affects Internet Explorer 11 on Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2; and Microsoft Edge on Windows 10 (all versions). [1][2]

Exploitation

An attacker can exploit this vulnerability by hosting a malicious website and convincing a user to view it (e.g., via a link in email or instant message). No special privileges or authentication are required, but user interaction is necessary for the attack to succeed. The attacker does not need to be on the same network; the attack can be launched remotely. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current user. If the user has administrative rights, the attacker can gain full control of the affected system, install programs, view/change/delete data, or create new accounts with full user rights. The impact is complete compromise of confidentiality, integrity, and availability. [1][2]

Mitigation

Microsoft released security updates in October 2016 as part of MS16-118 for Internet Explorer and MS16-119 for Microsoft Edge. The updates correct how the browsers handle objects in memory. Organizations and users should apply the appropriate cumulative updates (KB3192887 for IE, KB3192440/KB3192441 for Edge) as soon as possible. No workarounds have been provided. [1][2]