SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Edge Vendors:   Microsoft
Microsoft Edge Multiple Bugs Let Remote Users Bypass Security, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
SecurityTracker Alert ID:  1036099
SecurityTracker URL:  http://securitytracker.com/id/1036099
CVE Reference:   CVE-2016-3198, CVE-2016-3199, CVE-2016-3201, CVE-2016-3202, CVE-2016-3203, CVE-2016-3214, CVE-2016-3215, CVE-2016-3222   (Links to External Site)
Date:  Jun 14 2016
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Microsoft Edge. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will trigger a memory corruption error in the Chakra JavaScript engine and execute arbitrary code on the target user's system [CVE-2016-3199, CVE-2016-3202, CVE-2016-3214, CVE-2016-3222].

A remote user can create a specially crafted PDF file that, when loaded by the target user, will execute arbitrary code on the target user's system [CVE-2016-3203].

A remote user can create specially crafted content that, when loaded by the target user, will bypass Content Security Policy (CSP) restrictions on the target system [CVE-2016-3198].

A remote user can create specially crafted content that, when loaded by the target user, will access potentially sensitive information on the target system [CVE-2016-3201, CVE-2016-3215].

Jaanus Kaap of Clarified Security, Jordan Rabet of Microsoft Offensive Security Research Team, Ke Liu of Tencent's Xuanwu Lab, Mario Heiderich of Cure53, Shi Ji (@Puzzor) of VARAS@IIE (via Trend Micro's Zero Day Initiative (ZDI)), kdot (via Trend Micro's Zero Day Initiative (ZDI)), and lokihardt (via Trend Micro's Zero Day Initiative (ZDI)) reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix.

A patch matrix is available in the vendor advisory.

The Microsoft advisory is available at:

https://technet.microsoft.com/library/security/ms16-068

Vendor URL:  technet.microsoft.com/library/security/ms16-068 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (10)
Underlying OS Comments:  10, 10 Version 1511

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 14 2016 (Microsoft Issues Fix for Windows PDF) Microsoft Edge Multiple Bugs Let Remote Users Bypass Security, Obtain Potentially Sensitive Information, and Execute Arbitrary Code
Microsoft has issued a fix for Windows PDF on Windows 8, 2012, and 10.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC