Multiple vulnerabilities in Microsoft Edge



Published: 2022-02-04
Risk High
Patch available YES
Number of vulnerabilities 22
CVE-ID CVE-2022-0459
CVE-2022-23262
CVE-2022-23263
CVE-2022-0452
CVE-2022-0453
CVE-2022-0454
CVE-2022-0455
CVE-2022-0456
CVE-2022-0457
CVE-2022-0458
CVE-2022-23261
CVE-2022-0460
CVE-2022-0461
CVE-2022-0462
CVE-2022-0463
CVE-2022-0464
CVE-2022-0465
CVE-2022-0466
CVE-2022-0467
CVE-2022-0468
CVE-2022-0469
CVE-2022-0470
CWE-ID CWE-416
CWE-94
CWE-122
CWE-358
CWE-843
CWE-451
CWE-284
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 22 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU60229

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0459

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Screen Capture component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1244205
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0459


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU60301

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23262

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23262


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Code Injection

EUVDB-ID: #VU60300

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23263

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can trick the victim to open a specially crafted file or visit a webpage and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23263


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU60222

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0452

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Safe Browsing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1284584
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0452


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU60223

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0453

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Reader Mode component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1284916
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0453


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU60224

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0454

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in ANGLE. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1287962
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0454


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

EUVDB-ID: #VU60225

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0455

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Full Screen Mode in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1270593
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0455


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free

EUVDB-ID: #VU60226

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0456

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Web Search component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1289523
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0456


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Type Confusion

EUVDB-ID: #VU60227

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0457

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1274445
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0457


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free

EUVDB-ID: #VU60228

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0458

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Thumbnail Tab Strip component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1267060
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0458


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Spoofing attack

EUVDB-ID: #VU60299

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23261

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can spoof page content.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23261


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU60230

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0460

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Window Dialog in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1250227
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0460


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper access control

EUVDB-ID: #VU60231

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0461

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions in COOP. A remote attacker can create a specially crafted web page, trick the victim into visiting it, bypass implemented security restrictions and gain unauthorized access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1256823
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0461


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improperly implemented security check for standard

EUVDB-ID: #VU60232

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0462

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Scroll in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1270470
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0462


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU60233

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0463

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Accessibility in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1268240
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0463


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

EUVDB-ID: #VU60234

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0464

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Accessibility in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1270095
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0464


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Use-after-free

EUVDB-ID: #VU60235

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0465

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Extensions in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1281941
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0465


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Improperly implemented security check for standard

EUVDB-ID: #VU60236

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0466

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions Platform in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1115460
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0466


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Improperly implemented security check for standard

EUVDB-ID: #VU60237

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0467

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Pointer Lock in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1239496
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0467


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Use-after-free

EUVDB-ID: #VU60238

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0468

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Payments in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1252716
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0468


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Use-after-free

EUVDB-ID: #VU60239

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0469

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Cast in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1279531
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0469


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Out-of-bounds read

EUVDB-ID: #VU60240

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0470

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

Mitigation

Update to version 98.0.4758.80.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 97.0.1072.76

External links

http://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html
http://crbug.com/1269225
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0470


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###