SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Edge Vendors:   Microsoft
Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
SecurityTracker Alert ID:  1040372
SecurityTracker URL:  http://securitytracker.com/id/1040372
CVE Reference:   CVE-2018-0763, CVE-2018-0771, CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0839, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, CVE-2018-0866   (Links to External Site)
Date:  Feb 13 2018
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Microsoft Edge. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system [CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, CVE-2018-0866].

The ChakraCore scripting engine is also affected [CVE-2018-0858].

A remote user can create specially crafted content that, when viewed by the target user, will bypass Same-Origin Policy (SOP) restrictions and read potentially sensitive information from the target user's browser [CVE-2018-0771].

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and obtain potentially sensitive information on the target user's system [CVE-2018-0763, CVE-2018-0839].

Yuki Chen of Qihoo 360 Vulcan Team, Lokihardt of Google Project Zero, Michael Holman of Microsoft Chakra Core Team, Dmitri Kaslov of Telspace Systems (via Trend Micro Zero Day Initiative), Johnathan Norman of Windows Devices Group - Operating System Security Team, Lucas Pinheiro of Windows & Devices Group - Operating System Security Team, Jeonghoon Shin@Theori, Ivan Fratric of Google Project Zero, yeivin nadav (akayn), Marcin Towalski (@mtowalski1), and @j00sean (Thanks to Domato: https://github.com/google/domato) (via Trend Micro Zero Day Initiative) reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix.

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0763
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0771
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0834
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0835
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0836
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0837
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0838
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0839
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0840
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0857
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0858
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0859
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0860
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0861
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0866

Vendor URL:  portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0834 (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (10)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC