SB2017031409 - Multiple vulnerabilities in Microsoft Internet Explorer
Published: March 14, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-0008)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to unknown error. A remote unauthenticated attacker can gain unauthorized access to potentially sensitive data.
2) Memory corruption (CVE-ID: CVE-2017-0018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Memory corruption (CVE-ID: CVE-2017-0040)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to memory corruption in JScript and VBScript engines. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Information disclosure (CVE-ID: CVE-2017-0049)
The vulnerability allows a remote attacker to gain access to potentially sensitive data.
The vulnerability exists due to unspecified error in JScript scripting engine . A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it and gain access to potentially sensitive data.
5) Information disclosure (CVE-ID: CVE-2017-0059)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to unknown error. A remote unauthenticated attacker can gain unauthorized access to potentially sensitive data.
6) Memory corruption (CVE-ID: CVE-2017-0130)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to memory corruption in JScript and VBScript engines. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Memory corruption (CVE-ID: CVE-2017-0149)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
8) Cross-site scripting (CVE-ID: CVE-2017-0154)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to improper enforcement of cross-domain policies in Internet Explorer. A remote attacker can trick the victim to visit a specially crafted web site and access information from one domain and inject it into another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.