This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

A security researcher recently published source code
for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit
(EK) quickly adopted it.

CVE-2016-0189 was originally exploited as a zero-day vulnerability
in targeted
attacks in Asia
. The vulnerability resides within scripting
engines in Microsoft’s Internet Explorer (IE) browser, and is
exploited to achieve Remote Code Execution (RCE). According to the
researcher’s repository, the open source exploit affects IE on at
least Windows 10. It is possible that attackers could use or repurpose
the attack for earlier versions of Windows.

Microsoft patched CVE-2016-0189
in May on Patch Tuesday
. Applying this patch will protect a
system from this exploit.

Attack Details

The popular Neutrino EK was quick to adopt this exploit. Neutrino
works by embedding multiple exploits into one Shockwave Flash (SWF)
file. Once run, the SWF profiles the victim’s system – shown in Figure
1 – to determine which of its embedded exploits to use.

Figure 1. Neutrino EK SWF profiles a victim

Next, it decrypts and runs the applicable exploit, as shown in
Figure 2. This is different from most other EKs, in which an earlier
HTML/JavaScript stage profiles the browser and selectively downloads
exploits from the server.

Figure 2. Decrypt and embed the selected exploit
into an iframe

In this example, Neutrino embedded exploits for five vulnerabilities
that have been patched since May or earlier: three for Adobe Flash
Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for
Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the
newest addition to Neutrino’s arsenal.


This CVE-2016-0189 vulnerability stems from a failure to put a lock
on an array before working on it. This omission can lead to an issue
when the array is changed while another function is in the middle of
working on it. Memory corruption can occur if the “valueOf “ property
of the array is set to a script function that changes the array size,
as shown in Figure 3.

Figure 3. Neutrino setting triggering conditions

After Microsoft released the patch, a security researcher compared
the original and patched programs to identify the root cause of the
vulnerability and create a fully functioning exploit. The exploit
embedded within Neutrino is identical to this researcher’s exploit,
except for the code that runs after initial control.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,