Published: 11/05/2016 Updated: 12/10/2018
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6
VMScore: 807
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote malicious users to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftVbscript5.7, 5.8


Source: githubcom/theori-io/cve-2016-0189 # CVE-2016-0189 Proof-of-Concept exploit for CVE-2016-0189 (VBScript Memory Corruption in IE11) Tested on Windows 10 IE11 ### Write-up theoriio/research/cve-2016-0189 ### To run 1 Download `support/*dll` (or compile \*cpp for yourself) and `exploit/*html` to a directory 2 Serve t ...

Mailing Lists

This Metasploit module exploits the memory corruption vulnerability (CVE-2016-0189) present in the VBScript engine of Internet Explorer 11 ...

Metasploit Modules

Internet Explorer 11 VBScript Engine Memory Corruption

This module exploits the memory corruption vulnerability (CVE-2016-0189) present in the VBScript engine of Internet Explorer 11.

msf > use exploit/windows/browser/ms16_051_vbscript
      msf exploit(ms16_051_vbscript) > show targets
      msf exploit(ms16_051_vbscript) > set TARGET <target-id>
      msf exploit(ms16_051_vbscript) > show options
            ...show and set options...
      msf exploit(ms16_051_vbscript) > exploit

Github Repositories

CVE-2016-0189 Proof-of-Concept exploit for CVE-2016-0189 (VBScript Memory Corruption in IE11) Tested on Windows 10 IE 11 Write-up wwwdeamworkcom/archives/patch-analysis-of-cve-2016-0189orz6 To run Download support/*dll (or compile *cpp for yourself) and exploit/*html to a directory Serve the directory using a webserver (or python's simple HTTP server) Bro

CVE-2016-0189 Proof-of-Concept exploit for CVE-2016-0189 (VBScript Memory Corruption in IE11) Tested on Windows 10 IE11 Write-up theoriio/research/cve-2016-0189 To run Download support/*dll (or compile *cpp for yourself) and exploit/*html to a directory Serve the directory using a webserver (or python's simple HTTP server) Browse with a victim IE to vbscript

2017Codegate_Drive-ByDownload CVE-2016-0189 file : drivegooglecom/file/d/0B1wKAh47Svc7OTFYbkNNYkZGV0k/view?usp=sharing

初めての Rig Exploit Kit リーディング この記事は@nao_sec(@kkrnt, @PINKSAWTOOTH)が2017-05-15に公開しました 書かれている内容について, 著者は一切の責任を負いません はじめに 私がDrive-by Download攻撃について趣味で調べ始めてから3ヶ月が経ちました それまでは攻撃の概要をぼんやりと知って

Vulnerability Analysis And Exploit 浏览器及插件漏洞调试 Browser 调试速查 [IE][CVE-2018-8174分析] UAF [IE][CVE-2014-6332分析] 整数溢出 [IE][CVE-2016-0189分析] UAF [IE][CVE-2014-0322分析] UAF [Chrome][CVE-2016-5197分析] OOB [Chrome][CVE-2017-5070分析] Type Confustion Tutorials Learning V8 Learning V8 Windows Exploit Development [20190228][Part0: H

Recent Articles

Exploit Kits Target Windows Users with Ransomware and Trojans
BleepingComputer • Lawrence Abrams • 09 Sep 2019

Over the weekend and into today, four different malvertising campaigns have been redirecting users to exploit kits that install password stealing Trojans, ransomware, and clipboard hijackers.
All four of these campaigns were discovered by exploit kit expert nao_sec and are being distributed through malvertising that redirect visitors to the exploit kits landing pages. These landing pages are typically hosted on hacked sites.
Once a user visits the site, the kit's scripts will atte...

USA Is the Top Country for Hosting Malicious Domains According to Report
BleepingComputer • Ionut Ilascu • 05 Sep 2018

The US continues to be the top country hosting domains that serves web-based threats and the main source for exploit kit distribution at a global level, according to new research.
Statistics from Palo Alto Networks' Unit 42 show that the top countries hosting the malicious URLs and distributing exploit kits are Russia, China, Netherland, Australia, USA.
The study reveals that the number of malicious domains hosted in the US in the second quarter of the year dropped to 248, from 25...

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique
Fireeye Threat Research • by Sudhanshu Dubey, Dileep Kumar Jallepalli • 28 Jun 2018

Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.
Attack Chain
The attack chain starts wh...

The King is dead. Long live the King!
Securelist • Vladislav Stolyarov Boris Larin Anton Ivanov • 09 May 2018

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by...

Malvertising Campaign Redirects Browsers To Terror Exploit Kit
Threatpost • Tom Spring • 25 Oct 2017

Security experts are warning some “Quit Smoking” and “20 Minute Fat Loss” ads online are delivering more than sales pitches. According to researchers at Zscaler, ads are redirecting browsers to malicious landing pages hosting the Terror exploit kit.
The campaigns have been sustained, with the initial blast spotted on Sept. 1 and lasting through Oct. 23.
“Terror EK activity has been low throughout the year but we are starting to see an uptick in the activity delivered via ma...

New Magniber Ransomware Targets South Korea, Asia Pacific
Threatpost • Tom Spring • 21 Oct 2017

Researchers identified a new ransomware family called Magniber that uniquely targets only users in South Korea and the Asia-Pacific regions. The ransomware is primarily being distributed by the Magnitude exploit kit, a primary distribution vehicle in the past for Cerber ransomware.
Because of Magniber’s close affiliation to both the Magnitude EK and and Cerber, researchers are calling the new ransomware Magniber, a mashup of both names.
“Magnitude EK activity fell off the radar u...

Magniber Ransomware Wants to Infect Only the Right People
Fireeye Threat Research • by Muhammad Umair, Zain Gardezi , Shahzad Ahmed • 19 Oct 2017

Exploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region.
In Figure 1, which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017, we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017.

Figure 1: ...

Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements
Threatpost • Chris Brook • 22 Aug 2017

Despite a marked decrease in activity, exploit kits haven’t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.
Researchers with FireEye said Tuesday the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers ...

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit
Fireeye Threat Research • by Zain Gardezi , Manish Sardiwal • 22 Aug 2017

Exploit kit (EK) activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular redirect campaigns using PseudoDarkleech and EITest Gate to Rig Exploit Kit were shut down in first half of this year.
Despite all this, malvertising campaigns involving exploits kits remain ac...

University College London Ransomware Linked to AdGholas Malvertising Group
Threatpost • Michael Mimoso • 20 Jun 2017

A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.
Kafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a report published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have used steganography in the past to conceal attacks. In thi...

IT threat evolution Q1 2017. Statistics
Securelist • Roman Unuchek Fedor Sinitsyn Denis Parinov Vladislav Stolyarov • 22 May 2017

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.
79,209,775 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.
Crypto ransomware attacks were blocked on 240,799 computers of unique users.
Kaspersky La...

Two New Edge Exploits Integrated into Sundown Exploit Kit
Threatpost • Michael Mimoso • 10 Jan 2017

Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed by a Texas startup was integrated into the Sundown Exploit Kit.
The proof-of-concept exploit was developed by Theori, a research and development firm in Austin, which opened its doors last spring. The PoC targets two vulnerabilities, CVE-2016-7200 and CVE-2016-7201, in Microsoft Edge that were patched in November in MS16-129 and privately disclosed to Microsoft by Google Projec...

Flash Exploit Found in Seven Exploit Kits
Threatpost • Michael Mimoso • 06 Dec 2016

A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.
The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political target...

RIG Picks Up Where Neutrino Left Off, Pushes CrypMIC Ransomware
Threatpost • Chris Brook • 21 Sep 2016

When an exploit kit fades away, it usually doesn’t take long for another to take its place in the limelight, especially when the kit is an integral part of the ransomware ecosystem.
That’s exactly what’s happened over the past few weeks as researchers say they’ve seen an uptick in RIG Exploit Kit traffic used to peddle CrypMIC ransomware.
The news comes two weeks after researchers shut down a global malvertising campaign that was delivering the same ransomware but via the ...

World's worst exploit kit weaponises white hats' proof of concept code
The Register • Darren Pauli • 18 Jul 2016

Plaid Parliament of Pwning's IE attack turned into pay-to-p0wn cannon

The new wearer of the crown for World's Worst Exploit Kit is compromising users with exploit code for a dangerous new attack published by a white hat researcher.
Neutrino is the new king of for-profit p0wnage packages, a market in which criminals create tools to compromise scores of users through the latest vulnerabilities.
Neutrino's authors, who have risen to prominence since the likely arrest of the former top dogs behind the Angler exploit kit, were quick to snap up exploit code ...

Patched IE Zero Day Incorporated into Neutrino EK
Threatpost • Chris Brook • 15 Jul 2016

Attackers behind the Neutrino Exploit Kit didn’t take long to co-op a recently patched Internet Explorer zero-day into its arsenal.
Researchers claim the kit has been pushing CVE-2016-0189, a vulnerability that was reportedly used in targeted attacks on South Korean organizations earlier this year. Microsoft fixed the vulnerability, which affects Internet Explorer’s scripting engines, in May.
Four researchers with FireEye, Kenneth Johnson, Sai Omkar Vashisht, Yasir Khalid, and D...

Microsoft Patches JScript, VBScript Flaw Under Attack
Threatpost • Michael Mimoso • 10 May 2016

Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited.
The flaw is addressed in its own bulletin, MS16-053, but users need to pay attention to, and apply MS16-051 as well since the attack vector is through Internet Explorer.
MS16-051 addresses the issue in IE 9, 10 and 11; MS16-053 patches the flaw in IE 7 and earlier supported versions of the browser.
The flaw, CVE-...

Matrix Ransomware Being Distributed by the RIG Exploit Kit
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Malwarebytes security researcher Jérôme Segura discovered that Matrix Ransomware is now being distributed through the RIG exploit kit on sites that are displaying malvertisements.
The Matrix Ransomware was first released at the end of 2016 and we covered it back in April 2017. Since then the ransomware had slowly decreased until only few appearances here and there. Therefore, it was a surprise to find out this that ransomware was being distributed again, let alone in exploit kit cam...