Multiple vulnerabilities in Microsoft Edge

Published: 2018-06-12 21:04:47
Severity High
Patch available YES
Number of vulnerabilities 8
CVE ID CVE-2018-8236
CVE-2018-8110
CVE-2018-8111
CVE-2018-8234
CVE-2018-0871
CVE-2018-8235
CVE-2018-8227
CVE-2018-8229
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-119
CWE-200
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Edge
Vulnerable software versions Microsoft Edge -
Vendor URL Microsoft

Security Advisory

1) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8236

2) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8110

3) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8111

4) Memory corruption

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and access arbitrary data that can be used to conduct further attacks.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8234

5) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to an error when Microsoft Edge improperly marks files. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website and exfiltrate file contents from disk.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0871

6) Same-origin policy bypass

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to improper handling of requests of different origins by Microsoft Edge. A remote attacker can trick the victim to visit a specially crafted web page, bypass Same-Origin Policy (SOP) restrictions and force the browser to send data that would otherwise be restricted.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235

7) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of objects in memory in Microsoft Edge by the Chakra scripting engine. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227

8) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of objects in memory in Microsoft Edge by the Chakra scripting engine. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229

Back to List