Zero-day vulnerability in Microsoft Internet Explorer

Memory corruption

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Known malware:

Exploit kit: Magnitude, Neutrino, RIG, Sundown.

Vulnerability details

Advisory: SB2016051003 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2016-0189

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

CNACOM campaign

The campaign mainly targeted Taiwanese organizations and supposedly has Chinese origin.

Public Exploits:

External links: