SB2018061212 - Multiple vulnerabilities in Microsoft Edge
Published: June 12, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Memory corruption (CVE-ID: CVE-2018-8236)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Memory corruption (CVE-ID: CVE-2018-8110)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Memory corruption (CVE-ID: CVE-2018-8111)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Memory corruption (CVE-ID: CVE-2018-8234)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft Edge. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and access arbitrary data that can be used to conduct further attacks.
5) Information disclosure (CVE-ID: CVE-2018-0871)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to an error when Microsoft Edge improperly marks files. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website and exfiltrate file contents from disk.
6) Same-origin policy bypass (CVE-ID: CVE-2018-8235)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to improper handling of requests of different origins by Microsoft Edge. A remote attacker can trick the victim to visit a specially crafted web page, bypass Same-Origin Policy (SOP) restrictions and force the browser to send data that would otherwise be restricted.
7) Memory corruption (CVE-ID: CVE-2018-8227)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of objects in memory in Microsoft Edge by the Chakra scripting engine. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Memory corruption (CVE-ID: CVE-2018-8229)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of objects in memory in Microsoft Edge by the Chakra scripting engine. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8236
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8110
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8111
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8234
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0871
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8235
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229