cnvd - cnvd-2016-08938

cnvd-2016-08938

Vulnerability from cnvd

Title: Microsoft Internet Explorer和Edge远程权限提升洞

Description:

Microsoft Internet Explorer（IE）和Microsoft Edge都是美国微软（Microsoft）公司开发的Web浏览器。前者是Windows 10之前操作系统附带的默认浏览器，后者是最新操作系统Windows 10附带的默认浏览器。

Microsoft IE 10和11版本和Edge中存在特权提升漏洞，该漏洞源于程序没有正确保护私有命名空间。攻击者可利用该漏洞获取提升的权限。

Severity: 高

Patch Name: Microsoft Internet Explorer和Edge远程权限提升洞的补丁

Patch Description:

Microsoft IE 10和11版本和Edge中存在特权提升漏洞，该漏洞源于程序没有正确保护私有命名空间。攻击者可利用该漏洞获取提升的权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://technet.microsoft.com/library/security/ms16-118 https://technet.microsoft.com/library/security/ms16-119

Reference: http://www.securityfocus.com/bid/93381 https://technet.microsoft.com/library/security/ms16-118 https://technet.microsoft.com/library/security/ms16-119

Impacted products

Name
['Microsoft Internet Explorer 10', 'Microsoft Internet Explorer 11', 'Microsoft Edge 0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "93381"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-3387"
    }
  },
  "description": "Microsoft Internet Explorer\uff08IE\uff09\u548cMicrosoft Edge\u90fd\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u5f00\u53d1\u7684Web\u6d4f\u89c8\u5668\u3002\u524d\u8005\u662fWindows 10\u4e4b\u524d\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\uff0c\u540e\u8005\u662f\u6700\u65b0\u64cd\u4f5c\u7cfb\u7edfWindows 10\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft IE 10\u548c11\u7248\u672c\u548cEdge\u4e2d\u5b58\u5728\u7279\u6743\u63d0\u5347\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u4fdd\u62a4\u79c1\u6709\u547d\u540d\u7a7a\u95f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\u3002",
  "discovererName": "James Forshaw of Google Project Zero.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://technet.microsoft.com/library/security/ms16-118\r\nhttps://technet.microsoft.com/library/security/ms16-119",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-08938",
  "openTime": "2016-10-14",
  "patchDescription": "Microsoft Internet Explorer\uff08IE\uff09\u548cMicrosoft Edge\u90fd\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u5f00\u53d1\u7684Web\u6d4f\u89c8\u5668\u3002\u524d\u8005\u662fWindows 10\u4e4b\u524d\u64cd\u4f5c\u7cfb\u7edf\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\uff0c\u540e\u8005\u662f\u6700\u65b0\u64cd\u4f5c\u7cfb\u7edfWindows 10\u9644\u5e26\u7684\u9ed8\u8ba4\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft IE 10\u548c11\u7248\u672c\u548cEdge\u4e2d\u5b58\u5728\u7279\u6743\u63d0\u5347\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u4fdd\u62a4\u79c1\u6709\u547d\u540d\u7a7a\u95f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u63d0\u5347\u7684\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Internet Explorer\u548cEdge\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Internet Explorer 10",
      "Microsoft Internet Explorer 11",
      "Microsoft Edge 0"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/93381\r\nhttps://technet.microsoft.com/library/security/ms16-118\r\nhttps://technet.microsoft.com/library/security/ms16-119",
  "serverity": "\u9ad8",
  "submitTime": "2016-10-14",
  "title": "Microsoft Internet Explorer\u548cEdge\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6d1e"
}

CVE-2016-3387 (GCVE-0-2016-3387)

Vulnerability from cvelistv5

Published

2016-10-14 01:00

Modified

2024-08-05 23:56

Severity ?

CWE

Summary

Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka "Microsoft Browser Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3388.

References

▼	URL	Tags
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119	vendor-advisory, x_refsource_MS
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118	vendor-advisory, x_refsource_MS
	http://www.securitytracker.com/id/1036993	vdb-entry, x_refsource_SECTRACK
	https://www.exploit-db.com/exploits/40607/	exploit, x_refsource_EXPLOIT-DB
	http://www.securitytracker.com/id/1036992	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/93381	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:56:13.089Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "MS16-119",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119"
          },
          {
            "name": "MS16-118",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118"
          },
          {
            "name": "1036993",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036993"
          },
          {
            "name": "40607",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/40607/"
          },
          {
            "name": "1036992",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036992"
          },
          {
            "name": "93381",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93381"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-10-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka \"Microsoft Browser Elevation of Privilege Vulnerability,\" a different vulnerability than CVE-2016-3388."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "MS16-119",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119"
        },
        {
          "name": "MS16-118",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118"
        },
        {
          "name": "1036993",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036993"
        },
        {
          "name": "40607",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/40607/"
        },
        {
          "name": "1036992",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036992"
        },
        {
          "name": "93381",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93381"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2016-3387",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not properly restrict access to private namespaces, which allows remote attackers to gain privileges via unspecified vectors, aka \"Microsoft Browser Elevation of Privilege Vulnerability,\" a different vulnerability than CVE-2016-3388."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "MS16-119",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-119"
            },
            {
              "name": "MS16-118",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118"
            },
            {
              "name": "1036993",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036993"
            },
            {
              "name": "40607",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/40607/"
            },
            {
              "name": "1036992",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036992"
            },
            {
              "name": "93381",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93381"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2016-3387",
    "datePublished": "2016-10-14T01:00:00",
    "dateReserved": "2016-03-15T00:00:00",
    "dateUpdated": "2024-08-05T23:56:13.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted