SB2023091801 - Multiple vulnerabilities in Microsoft Edge
Published: September 18, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-4904)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in Downloads in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
2) Improperly implemented security check for standard (CVE-ID: CVE-2023-4902)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Input in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-4906)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in Autofill in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
4) Input validation error (CVE-ID: CVE-2023-36562)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling files. A remote attacker can trick the victim to open a specially crafted file and bypass browser sandbox restrictions.
5) Improperly implemented security check for standard (CVE-ID: CVE-2023-4900)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Custom Tabs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
6) Spoofing attack (CVE-ID: CVE-2023-36727)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to visit a malicious URL and spoof the content of a legitimate website.
7) Improperly implemented security check for standard (CVE-ID: CVE-2023-4907)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Intents in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
8) Improperly implemented security check for standard (CVE-ID: CVE-2023-4909)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Interstitials in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
9) Improperly implemented security check for standard (CVE-ID: CVE-2023-4903)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Custom Mobile Tabs in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
10) Improperly implemented security check for standard (CVE-ID: CVE-2023-4908)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Picture in Picture in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
11) Improperly implemented security check for standard (CVE-ID: CVE-2023-4901)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
12) Input validation error (CVE-ID: CVE-2023-36735)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a malicious website, bypass browser sandbox restrictions and execute arbitrary code on the system.
13) Improperly implemented security check for standard (CVE-ID: CVE-2023-4905)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
Remediation
Install update from vendor's website.
References
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4904
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4902
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4906
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36562
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4900
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36727
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4907
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4909
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4903
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4908
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4901
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36735
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4905