SB2019031304 - Multiple vulnerabilities in Microsoft Edge
Published: March 13, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2019-0609)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2019-0611)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Buffer overflow (CVE-ID: CVE-2019-0639)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Buffer overflow (CVE-ID: CVE-2019-0746)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the lastIndexOf method in JavaScript. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Buffer overflow (CVE-ID: CVE-2019-0769)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Buffer overflow (CVE-ID: CVE-2019-0771)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Buffer overflow (CVE-ID: CVE-2019-0779)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Buffer overflow (CVE-ID: CVE-2019-0780)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Buffer overflow (CVE-ID: CVE-2019-0592)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Buffer overflow (CVE-ID: CVE-2019-0770)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Buffer overflow (CVE-ID: CVE-2019-0773)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-0612)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists when Click2Play protection in Microsoft Edge improperly handles flash objects. A remote attacker can bypass Click2Play protection.
13) Origin validation error (CVE-ID: CVE-2019-0678)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.
14) Origin validation error (CVE-ID: CVE-2019-0762)
The vulnerability allows a remote attacker ti bypass certain security restrictions.
The vulnerability exists due to incorrect handling of requests coming from different origins. A remote attacker can trick the victim to visit a specially crafted website, bypass Same-Site cookie restrictions and gain access to sensitive information from another domain.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0609
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0611
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0639
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0746
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0769
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0771
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0779
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0780
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0592
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0770
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0773
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0612
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0678
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0762