KLA11045 Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer

Multiple serious vulnerabilities have been found in Microsoft Internet Explorer and Microsoft Edge. Malicious users can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information.

Below is a complete list of vulnerabilities:

1. Multiple vulnerabilities related to an improper handling of objects in memory can be exploited remotely by convincing a user to visit a specially designed website to execute arbitrary code;
2. Incorrect restrictions put on the way the information is returned to Microsoft Edge by JavaScript object methods can be exploited remotely by convincing a user to visit a specially designed website to obtain sensitive information;
3. Multiple vulnerabilities related to an improper handling of objects in memory done by JavaScript scripting engines can be exploited remotely by convincing a user to visit a specially designed website, by embedding an ActiveX control marked “safe for initialization” in an application or via a Microsoft Office document which hosts the Edge rendering engine to execute arbitrary code;
4. An incorrect handling of specific filtered response types done by the Fetch API in Microsoft Edge can be exploited remotely by convincing a user to visit a specially designed website to obtain sensitive information;
5. An improper handling of objects in memory in Microsoft Internet Explorer can be exploited remotely by convincing a user to visit a specially designed website to execute arbitrary code;
6. An incorrect check for scripts which attempt to matipulate HTML elements in other browser windows can be exploited remotely by convincing a user to visit a specially designed website or load a specially designed page to bypass security restrictions;
7. An improper handling of objects in memory can be exploited remotely by convincing a user to visit a specially designed website to obtain sensitive information;
8. An improper enforcement of same-origin policies in Microsoft Edge can be exploited remotely by convincing a user to visit a specially designed website or load a specially designed page to bypass security restrictions;
9. An incorrect validation of documents done by the CSP (Content Security Policy) in Microsoft Edge can be exploited remotely by convincing a user to visit a specially designed website or load a specially designed page to bypass security restrictions.

Original advisories

CVE-2017-8520

CVE-2017-8498

CVE-2017-8499

CVE-2017-8496

CVE-2017-8497

CVE-2017-8523

CVE-2017-8530

CVE-2017-8524

CVE-2017-8522

CVE-2017-8549

CVE-2017-8517

CVE-2017-8521

CVE-2017-8504

CVE-2017-8548

CVE-2017-8519

CVE-2017-8547

CVE-2017-8555

CVE-2017-8529

CVE-2017-8496

CVE-2017-8497

CVE-2017-8498

CVE-2017-8499

CVE-2017-8504

CVE-2017-8517

CVE-2017-8519

CVE-2017-8520

CVE-2017-8521

CVE-2017-8522

CVE-2017-8523

CVE-2017-8524

CVE-2017-8529

CVE-2017-8547

CVE-2017-8548

CVE-2017-8549

CVE-2017-8555

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Internet-Explorer

Microsoft-Edge

CVE list

CVE-2017-8496 critical

CVE-2017-8497 critical

CVE-2017-8498 warning

CVE-2017-8499 critical

CVE-2017-8504 warning

CVE-2017-8517 critical

CVE-2017-8519 critical

CVE-2017-8520 critical

CVE-2017-8521 critical

CVE-2017-8522 critical

CVE-2017-8523 warning

CVE-2017-8524 critical

CVE-2017-8529 warning

CVE-2017-8530 high

CVE-2017-8547 critical

CVE-2017-8548 critical

CVE-2017-8549 critical

CVE-2017-8555 warning

KB list

4038788

4038782

4038783

4038792

4038799

4038781

4038777

4022719

4022726

4022714

4021558

4022724

4022727

4022715

4022725

4036586

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft EdgeMicrosoft Internet Explorer versions 9 through 11