KLA10740 Multiple vulnerabilities in Microsoft Internet Explorer and Edge

Multiple serious vulnerabilities have been found in Microsoft Internet Explorer and Edge. Malicious users can exploit these vulnerabilities to gain privileges or execute arbitrary code.

Below is a complete list of vulnerabilities

1. Improper memory objects handling at VBScript engine can be exploited remotely via a specially designed web content to execute arbitrary code;
2. Lack of cross-domain policies enforcement can be exploited remotely via a specially designed web content to gain privileges;
3. Improper memory objects handling can be exploited remotely via a specially designed web content to execute arbitrary code;
4. Improper memory objects handling at Chakra JavaScript can be exploited remotely via a specially designed web content to execute arbitrary code.

Technical details

To mitigate vulnerability (1) you can restrict access to VBScript.dll

Original advisories

CVE-2016-0002

CVE-2016-0024

CVE-2016-0005

CVE-2016-0003

Related products

Microsoft-Internet-Explorer

Microsoft-Edge

CVE list

CVE-2016-0002 critical

CVE-2016-0024 critical

CVE-2016-0005 warning

CVE-2016-0003 critical

KB list

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Microsoft EdgeMicrosoft Internet Explorer versions from 7 through 11