Multiple vulnerabilities in Microsoft Edge



Published: 2018-01-04
Risk High
Patch available YES
Number of vulnerabilities 19
CVE-ID CVE-2018-0818
CVE-2018-0773
CVE-2018-0774
CVE-2018-0781
CVE-2018-0758
CVE-2018-0762
CVE-2018-0768
CVE-2018-0769
CVE-2018-0770
CVE-2018-0772
CVE-2018-0775
CVE-2018-0776
CVE-2018-0777
CVE-2018-0778
CVE-2018-0780
CVE-2018-0803
CVE-2018-0800
CVE-2018-0766
CVE-2018-0767
CWE-ID CWE-264
CWE-119
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge
Client/Desktop applications / Web browsers

Microsoft Internet Explorer
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 19 vulnerabilities.

1) Security restrictions bypass

EUVDB-ID: #VU9848

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0818

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error in Microsoft Chakra scripting engine that allows Control Flow Guard (CFG) to be bypassed. A remote attacker can create a specially crafted website, trick the victim into visiting it, and bypass implemented CFG.

This vulnerability can be used along with another vulnerability to successfully compromise the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0818


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU9849

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0773

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

EUVDB-ID: #VU9850

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0774

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

EUVDB-ID: #VU9851

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0781

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

EUVDB-ID: #VU9852

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0758

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

EUVDB-ID: #VU9853

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0762

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

Microsoft Internet Explorer: 9 - 11

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

EUVDB-ID: #VU9854

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0768

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory corruption

EUVDB-ID: #VU9855

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0769

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory corruption

EUVDB-ID: #VU9856

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0770

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Memory corruption

EUVDB-ID: #VU9857

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0772

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

Microsoft Internet Explorer: 9 - 11

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory corruption

EUVDB-ID: #VU9858

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0775

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

EUVDB-ID: #VU9859

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0776

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

EUVDB-ID: #VU9860

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0777

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory corruption

EUVDB-ID: #VU9861

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0778

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

EUVDB-ID: #VU9862

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0780

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing content in browser. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0773


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Cross-domain policy bypass

EUVDB-ID: #VU9863

Risk: Medium

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0803

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to improper enforcement of cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. A remote attacker can create a specially crafted web page, trick the victim into opening it and replace contents in another user's tab.

Successful exploitation of the vulnerability may allow an attacker to steal victim's credentials to another website, perform phishing and drive-by download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Out-of-bounds read

EUVDB-ID: #VU9864

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0800

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary error when processing web contents in browser. A remote attacker can trick the victim into visiting a specially crafted web page, trigger out-of-bounds read and gain access to potentially sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0800


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Out-of-bounds read

EUVDB-ID: #VU9865

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0766

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary error when processing web contents in browser. A remote attacker can trick the victim into visiting a specially crafted web page, trigger out-of-bounds read and gain access to potentially sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0800


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Out-of-bounds read

EUVDB-ID: #VU9866

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0767

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary error when processing web contents in browser. A remote attacker can trick the victim into visiting a specially crafted web page, trigger out-of-bounds read and gain access to potentially sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0800


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###