Microsoft Browser Elevation of Privilege Vulnerability

Published: 2016-10-11

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2016-3388
CWE-ID	CWE-46
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Microsoft Internet Explorer Client/Desktop applications / Web browsers Microsoft Edge Client/Desktop applications / Web browsers
Vendor	Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Privilege Escalation

EUVDB-ID: #VU847

Risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2016-3388

CWE-ID: CWE-46 - Path Equivalence: 'filename ' (Trailing Space)

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness is due to improper defense of private namespace by the browser. A remote attacker can create a specially crafted content, trick the victim into downloading it, gain privileged permissions to the namespace directory on the system.

Successful exploitation of the vulnerability will result in privilege escalation on the vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Internet Explorer: 10 - 11

Microsoft Edge: All versions

CPE2.3

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.