CVE-2016-0189

What Is Internet Explorer's JScript/VBScript Engine?

Internet Explorer's scripting engines — JScript (the Microsoft implementation of JavaScript) and VBScript — execute script code from web pages within the browser's process. These engines parse and run potentially untrusted script code from any visited web page, making them a primary attack surface for remote code execution via malicious JavaScript or VBScript. Memory corruption vulnerabilities in scripting engines that allow an attacker to control heap memory can be exploited to execute arbitrary code in the context of the browser user.

Overview

CVE-2016-0189 is a memory corruption remote code execution vulnerability in Internet Explorer's JScript and VBScript scripting engines. When a user visits a malicious web page in IE, the scripting engine processes crafted JavaScript or VBScript that triggers an out-of-bounds write, corrupting heap memory in a way that enables code execution at the user's privilege level. The AC:H (high complexity) CVSS component reflects that reliable exploitation requires specific conditions — typically an information leak for ASLR bypass. CVE-2016-0189 was actively exploited in targeted APT attacks. Patched in MS16-051 (May 10, 2016).

Affected Versions

Fixed in MS16-051 (May 2016 Patch Tuesday).

Technical Details

Root Cause: JScript/VBScript Memory Corruption

CVE-2016-0189 involves an out-of-bounds write (CWE-787) in Internet Explorer's JScript or VBScript engine during the processing of certain script constructs. The scripting engine incorrectly handles a crafted object or expression, leading to a write operation that targets memory outside the intended buffer bounds — corrupting adjacent heap memory.

The exploitation pattern for scripting engine vulnerabilities:

1. Trigger the memory corruption — serve crafted JavaScript or VBScript that causes the out-of-bounds write
2. Heap grooming — use JavaScript object allocations to shape the heap, placing a controlled object adjacent to the corrupted region
3. Type confusion — the corruption overwrites a JavaScript object's type information, causing the engine to treat attacker-controlled data as a trusted object
4. ASLR bypass — the AC:H rating reflects that a separate information leak (such as CVE-2016-0162) is often required for reliable exploitation in modern IE configurations with DEP and ASLR enabled
5. Code execution — the type confusion is leveraged to execute arbitrary shellcode or ROP chain at user privilege level

High Complexity Context

The AC:H rating distinguishes CVE-2016-0189 from simpler memory corruption vulnerabilities. In 2016, reliable exploitation of IE memory corruption typically required:

• An information disclosure primitive to defeat ASLR (leaking heap or stack addresses)
• Careful heap grooming to achieve reliable type confusion
• DEP bypass via a valid ROP chain using known IE/OS module gadgets

This complexity was within reach of sophisticated APT actors and mature exploit kit operators but was less trivial than CVSS 9.8 "always works" exploits.

Attack Characteristics

Discovery

Reported to Microsoft and patched in MS16-051 (May 2016 Patch Tuesday). Security researchers documented targeted exploitation by APT actors in the May–June 2016 period following publication.

Exploitation Context

• Targeted APT exploitation: CVE-2016-0189 was used in targeted attacks by APT groups (security researchers documented exploitation consistent with North Korean and other state-sponsored actors) against South Korean targets and others, leveraging the IE scripting engine vulnerability for initial access to victim workstations
• Exploit kit adoption: Following public disclosure and patch availability, CVE-2016-0189 was incorporated into exploit kits targeting unpatched IE users via malvertising and compromised websites
• IE as attack vector: IE remained the enterprise standard browser in many organizations in 2016 due to legacy application compatibility requirements; IE's continued deployment in enterprise environments provided a persistent attack surface despite Microsoft's introduction of Edge
• IE EOL: Internet Explorer reached end-of-life June 15, 2022. All IE versions are permanently unsupported
• CISA KEV (2022): Added March 2022

Remediation

1. Apply MS16-051 (May 2016) — included in IE cumulative updates.

2. Migrate from Internet Explorer — IE is end-of-life as of June 15, 2022. Migrate to Microsoft Edge. Edge's IE Mode supports legacy applications without exposing the full IE scripting engine attack surface.

3. Disable VBScript in IE — in environments that cannot immediately migrate from IE, disable VBScript in Internet Zone via Internet Options → Security → Custom Level → Scripting → Active Scripting; this eliminates VBScript-based exploitation of this class of vulnerability.

4. Enhanced Protected Mode (EPM) — enable IE Enhanced Protected Mode, which sandboxes IE processes and limits the damage from successful exploitation.