Microsoft Patches Four Zero-Days Used in Live Attacks

Share this…

0-days affect IE, Edge, Office, and Windows’ GDI component. aaThese four zero-days affect Microsoft products such as Internet Explorer (CVE-2016-3298), Edge’s scripting engine (CVE-2016-7189), the Windows Graphics Component (CVE-2016-3393), and Office (CVE-2016-7193). Microsoft says that attackers exploited all vulnerabilities in the wild.


CVE-2016-3298 is an information disclosure bug discovered in Internet Explorer by Proofpoint, who covers its technical details in a blog post here.

The company says this zero-day was part of a massive malvertising campaign called AdGholas and was used to “fingerprint” users. Fingerprinting occurs via an automated script used to detect the details of a user’s local OS setup in order to deliver the best exploits.

“An attacker who successfully exploited this vulnerability could test for the presence of files on disk,” says Microsoft, who also reveals that attackers had to convince users to access a malicious website which then took advantage of the way the Microsoft Internet Messaging API handles objects in memory.

Microsoft patched this vulnerability in two security bulletins, MS16-118 and MS16-126. Last month, Microsoft patched another zero-day, CVE-2016-3351, also used by the same AdGholas malvertising campaign.


CVE-2016-7189 is a remote code execution (RCE) bug in Microsoft Edge’s scripting engine, which allows attackers to “obtain information to further compromise the user’s system.”

The good news is that an attacker needs to convince a user to access a malicious website, and then perform an action, such as clicking on a link. This makes exploitation much more challenging than the previous zero-day, but not impossible.

Users should install the MS16-119 security bulletin to correct this flaw in Edge and safeguard their computers.


Another dangerous zero-day with RCE capabilities is CVE-2016-3393, which affects the Windows GDI (Graphics) Component.

Microsoft says that an attacker could exploit this zero-day via a remote web-based attack or a malicious file executed on the local system.

The MS16-120 security bulletin fixes how the GDI component handles certain data objects in memory and blocks this kind of attacks.


Last but not least is CVE-2016-7193, a memory corruption flaw in Microsoft Office, which also allows attackers to execute malicious code on targeted computers.

Microsoft says that the flaw is exploitable via malicious RTF files, and the company has issued MS16-121 to fix the issue.

This zero-day is more dangerous as the user has more permissions associated with his account. This is why Windows users should use a lower-privileged user for their daily tasks, instead of using an administrator-level account.

A summary of all zero-days is available in the table below:

CVE Vulnerability title Security Bulletin Publicly disclosed
CVE-2016-3298 Internet Explorer Information Disclosure Vulnerability MS16-118 & MS16-126 No
CVE-2016-7189 Scripting Engine Remote Code Execution Vulnerability MS16-119 No
CVE-2016-3393 GDI+ Remote Code Execution Vulnerability MS16-120 No
CVE-2016-7193 Microsoft Office Memory Corruption Vulnerability MS16-121 No