CVE-2016-7239

Vulnerability

The vulnerability exists in the RegEx class used by the Cross-Site Scripting (XSS) filter in Internet Explorer 9, 10, 11 and Microsoft Edge. The XSS filter improperly handles regular expressions, leading to potential information disclosure. The affected components are: Internet Explorer 9, 10, 11 on supported Windows platforms; and Microsoft Edge on Windows 10 and Windows Server 2016. The issue is addressed in security updates MS16-142 [1] and MS16-129 [2].

Exploitation

An attacker must host a specially crafted webpage that triggers the XSS filter's RegEx handling. No authentication is required, and no user interaction beyond visiting the page is needed. The attack is remote and does not require any special network position. The exact vectors are unspecified in the advisory, but the attacker can cause the XSS filter to disclose information.

Impact

Successful exploitation allows an attacker to conduct cross-site scripting (XSS) attacks and obtain sensitive information from the affected browser session. The severity is rated Low (CVSS 3.1 base score 3.1). The disclosure is limited to information that could be leveraged for further attacks.

Mitigation

Microsoft released security updates MS16-142 for Internet Explorer [1] and MS16-129 for Microsoft Edge [2] on November 8, 2016. These updates correct how the XSS filter handles RegEx. Users should apply the updates via Windows Update or direct download. No workarounds are documented.