What Is Internet Explorer?
Microsoft Internet Explorer was the default Windows browser from Windows 95 through Windows 10. Despite being superseded by Microsoft Edge in 2015, IE remained widely deployed in enterprise environments for legacy application compatibility. IE reached end-of-life on June 15, 2022. The IE scripting engines (JScript, VBScript) execute untrusted web content and have been a persistent source of both information disclosure and remote code execution vulnerabilities.
Overview
CVE-2016-0162 is an information disclosure vulnerability in Internet Explorer where improper JavaScript handling allows a remote attacker to detect the presence of specific files on the user's computer. While categorized as MEDIUM severity with only a low-confidentiality impact, this vulnerability was actively exploited in attack chains as an ASLR (Address Space Layout Randomization) bypass — using file detection to determine memory layout information that enables reliable exploitation of higher-severity memory corruption vulnerabilities. Patched in MS16-037 (April 12, 2016).
Affected Versions
| Internet Explorer | Status |
|---|---|
| Internet Explorer 9 | Vulnerable |
| Internet Explorer 10 | Vulnerable |
| Internet Explorer 11 | Vulnerable |
Fixed in MS16-037 (April 2016 Patch Tuesday).
Technical Details
Root Cause: JavaScript Timing Side-Channel for File Detection
CVE-2016-0162 involves a flaw in Internet Explorer's JavaScript engine where the behavior of certain script operations differs based on whether specific files exist on the local filesystem. An attacker's JavaScript code in a web page can detect this behavioral difference — creating a side-channel that reveals file existence information without the browser's Same Origin Policy granting direct file access.
The practical impact goes beyond simple file existence checking:
File enumeration: Detect whether specific security tools, antivirus software, or EDR agents are installed — allowing exploit kit landing pages to fingerprint whether a target is protected and select appropriate evasion techniques.
ASLR bypass enabler: In certain exploit chain configurations, knowing which modules are loaded (by detecting associated files) allows an attacker to calculate memory addresses of loaded DLLs — undermining ASLR protections and making memory corruption vulnerabilities more reliably exploitable.
Target profiling: Detect the presence of specific software (browsers, development tools, security products) to customize subsequent attack stages.
Role in Exploit Chains
Information disclosure vulnerabilities with low individual CVSS scores often appear in CISA's KEV catalog because they are used as enablers for higher-severity vulnerabilities. CVE-2016-0162 was used in combination with IE memory corruption vulnerabilities where the file detection ability assisted in:
- Fingerprinting targets for exploit kit delivery decisions
- Bypassing exploit mitigations that depend on address space randomization
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — malicious web page with JavaScript |
| User Interaction | Required (visit page in IE) |
| Individual Impact | File existence detection |
| Exploit Chain Role | ASLR bypass and target fingerprinting |
Discovery
Reported to Microsoft and patched in MS16-037 (April 2016 Patch Tuesday).
Exploitation Context
- Exploit chain component: CVE-2016-0162 was used in targeted attack chains where precise memory address knowledge was required for reliable exploitation of IE memory corruption vulnerabilities; the file detection side-channel provided the necessary information leakage to defeat ASLR
- Exploit kit integration: Exploit kit landing pages used JavaScript file detection (consistent with CVE-2016-0162) to fingerprint targets and determine which exploits to serve, particularly to detect and avoid sandboxed analysis environments
- IE EOL: Internet Explorer reached end-of-life June 15, 2022. All IE versions are permanently end-of-life and should be migrated to Microsoft Edge
- CISA KEV (2022): Added May 2022
Remediation
-
Apply MS16-037 (April 2016) — included in IE cumulative updates.
-
Migrate from Internet Explorer — IE is end-of-life as of June 15, 2022. Migrate to Microsoft Edge, which does not support IE's legacy JavaScript engines. Edge's IE Mode can handle legacy applications without exposing the full IE attack surface.
-
Keep browsers updated — maintain browser updates on a rapid update cycle; browser security updates should be applied as soon as available.
-
Disable JavaScript for untrusted sites — for high-security environments, configure IE security zones to require explicit permission before executing JavaScript on untrusted sites.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2016-0162 |
| Vendor / Product | Microsoft — Internet Explorer |
| NVD Published | 2016-04-12 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 4.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| Severity | MEDIUM |
| CWE | CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor find similar ↗ |
| CISA KEV Added | 2022-05-24 |
| CISA KEV Deadline | 2022-06-14 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2016-04-12 | Microsoft Security Bulletin MS16-037 released; CVE-2016-0162 patched (April 2016 Patch Tuesday) |
| 2016-04-12 | CVE-2016-0162 published by NVD |
| 2022-05-24 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2016-0162 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS16-037 — Cumulative Security Update for Internet Explorer | Vendor Advisory |