SB2018010906 - Multiple vulnerabilities in Microsoft ChakraCore
Published: January 9, 2018
Security Bulletin ID
SB2018010906
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2018-0800)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to a boundary error when processing web contents in browser. A remote attacker can trick the victim into visiting a specially crafted web page, trigger out-of-bounds read and gain access to potentially sensitive data.
2) Security restrictions bypass (CVE-ID: CVE-2018-0818)
The vulnerability allows a remote attacker to bypass certain security restrictions.The vulnerability exists due to an error in Microsoft Chakra scripting engine that allows Control Flow Guard (CFG) to be bypassed. A remote attacker can create a specially crafted website, trick the victim into visiting it, and bypass implemented CFG.
This vulnerability can be used along with another vulnerability to successfully compromise the affected system.
Remediation
Install update from vendor's website.