SB2019061202 - Multiple vulnerabilities in Microsoft Edge and ChakraCore
Published: June 12, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2019-0989)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2019-0991)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Buffer overflow (CVE-ID: CVE-2019-0992)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Buffer overflow (CVE-ID: CVE-2019-0993)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Buffer overflow (CVE-ID: CVE-2019-1002)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Buffer overflow (CVE-ID: CVE-2019-1003)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Buffer overflow (CVE-ID: CVE-2019-1024)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Buffer overflow (CVE-ID: CVE-2019-1051)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Buffer overflow (CVE-ID: CVE-2019-1052)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Chakra scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Out-of-bounds read (CVE-ID: CVE-2019-0990)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the way the scripting engine handles objects in memory in Microsoft Edge. A remote attacker can use a specially crafted web page to trigger out-of-bounds read error and read contents of memory on the system.
11) Out-of-bounds read (CVE-ID: CVE-2019-1023)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the way the scripting engine handles objects in memory in Microsoft Edge. A remote attacker can use a specially crafted web page to trigger out-of-bounds read error and read contents of memory on the system.
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-1054)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in Microsoft Edge due to the browser fails to set Mark of the Web Tagging (MOTW). Such browser behavior leads to possibility to bypass a large number of Microsoft security technologies.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0989
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0991
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0992
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0993
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1002
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1003
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1024
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1051
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1052
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0990
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1023
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1054