Lucene search

K
kasperskyKaspersky LabKLA12601
HistoryAug 05, 2022 - 12:00 a.m.

KLA12601 Multiple vulnerabilities in Microsoft Browser

2022-08-0500:00:00
Kaspersky Lab
threats.kaspersky.com
19
microsoft browser
denial of service
arbitrary code execution
privilege escalation
sensitive information leakage
security bypass
implementation vulnerability
policy enforcement vulnerability
use after free vulnerability
remote code execution
heap buffer overflow
untrusted input validation
side-channel information leakage
edge chromium-based

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.007

Percentile

80.6%

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, gain privileges, obtain sensitive information, bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. Implementation vulnerability in Extensions API can be exploited to cause denial of service.
  2. Policy enforcement vulnerability in Cookies can be exploited to cause denial of service.
  3. Use after free vulnerability in Extensions can be exploited to cause denial of service or execute arbitrary code.
  4. Use after free vulnerability in Managed devices API can be exploited to cause denial of service or execute arbitrary code.
  5. Use after free vulnerability in Sign-In Flow can be exploited to cause denial of service or execute arbitrary code.
  6. An elevation of privilege vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to gain privileges.
  7. Heap buffer overflow vulnerability in PDF can be exploited to cause denial of service.
  8. Validation of untrusted input vulnerability in Safe Browsing can be exploited to cause denial of service.
  9. Use after free vulnerability in Omnibox can be exploited to cause denial of service or execute arbitrary code.
  10. Implementation vulnerability in Fullscreen API can be exploited to cause denial of service.
  11. Out of bounds read vulnerability in Dawn can be exploited to cause denial of service.
  12. Policy enforcement vulnerability in Background Fetch can be exploited to cause denial of service.
  13. Use after free vulnerability in Safe Browsing can be exploited to cause denial of service or execute arbitrary code.
  14. Side-channel information leakage vulnerability in Keyboard input can be exploited to obtain sensitive information.
  15. Use after free vulnerability in Offline can be exploited to cause denial of service or execute arbitrary code.
  16. Use after free vulnerability in Extensions API can be exploited to cause denial of service or execute arbitrary code.
  17. A security feature bypass vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to bypass security restrictions.
  18. A remote code execution vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to execute arbitrary code.
  19. Validation of untrusted input vulnerability in Settings can be exploited to cause denial of service.
  20. Validation of untrusted input vulnerability in Internals can be exploited to cause denial of service.

Original advisories

CVE-2022-2616

CVE-2022-2615

CVE-2022-2621

CVE-2022-2614

CVE-2022-35796

CVE-2022-2624

CVE-2022-2622

CVE-2022-2611

CVE-2022-2610

CVE-2022-2612

CVE-2022-2623

CVE-2022-2617

CVE-2022-33649

CVE-2022-33636

CVE-2022-2619

CVE-2022-2618

CVE-2022-2606

CVE-2022-2603

CVE-2022-2605

CVE-2022-2604

Exploitation

Public exploits exist for this vulnerability.

Related products

Microsoft-Edge

CVE list

CVE-2022-2605 high

CVE-2022-2610 high

CVE-2022-2606 critical

CVE-2022-2614 critical

CVE-2022-2623 critical

CVE-2022-2619 warning

CVE-2022-2617 critical

CVE-2022-2612 high

CVE-2022-2616 high

CVE-2022-2603 critical

CVE-2022-2611 warning

CVE-2022-2604 critical

CVE-2022-2621 critical

CVE-2022-2615 high

CVE-2022-2622 high

CVE-2022-2624 critical

CVE-2022-2618 high

CVE-2022-35796 critical

CVE-2022-33649 critical

CVE-2022-33636 critical

KB list

Solution

Install necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option)

Microsoft Edge update settings

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Microsoft Edge (Chromium-based)

References

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.007

Percentile

80.6%