SB2023080744 - Multiple vulnerabilities in Microsoft Edge
Published: August 7, 2023 Updated: August 17, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Type Confusion (CVE-ID: CVE-2023-4068)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Type Confusion (CVE-ID: CVE-2023-4069)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Type Confusion (CVE-ID: CVE-2023-4070)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Heap-based buffer overflow (CVE-ID: CVE-2023-4071)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in Visuals. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
5) Out-of-bounds write (CVE-ID: CVE-2023-4072)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in WebGL in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.
6) Buffer overflow (CVE-ID: CVE-2023-4073)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in ANGLE in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
7) Use-after-free (CVE-ID: CVE-2023-4074)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Blink Task Scheduling component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
8) Use-after-free (CVE-ID: CVE-2023-4075)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Cast component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
9) Use-after-free (CVE-ID: CVE-2023-4076)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
10) Input validation error (CVE-ID: CVE-2023-4077)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in Extensions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
11) Improperly implemented security check for standard (CVE-ID: CVE-2023-4078)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Extensions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
12) Security features bypass (CVE-ID: CVE-2023-38157)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when processing Web Archive files. A remote attacker can trick the victim to open a specially crafted file and gain access to stored cookies from the browser storage.
13) Information disclosure (CVE-ID: CVE-2023-38158)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.
14) Input validation error (CVE-ID: CVE-2023-36787)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of files. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4068
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4069
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4070
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4071
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4072
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4073
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4074
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4075
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4076
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4077
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4078
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-38157
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-38158
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36787