SB2023082601 - Multiple vulnerabilities in Microsoft Edge

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2023-4427)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

2) Buffer overflow (CVE-ID: CVE-2023-4428)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in CSS in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

3) Use-after-free (CVE-ID: CVE-2023-4429)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Loader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Use-after-free (CVE-ID: CVE-2023-4430)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Vulkan component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) Out-of-bounds read (CVE-ID: CVE-2023-4431)

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the Fonts component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

6) Input validation error (CVE-ID: CVE-2023-36741)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to download a specially crafted file and execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4427
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4428
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4429
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4430
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4431
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36741