Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA10968
HistoryMar 14, 2017 - 12:00 a.m.

KLA10968 Multiple vulnerabilities in Microsoft Edge

2017-03-1400:00:00
Kaspersky Lab
threats.kaspersky.com
197

7.6 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.973 High

EPSS

Percentile

99.9%

JSON

Multiple serious vulnerabilities have been found in Microsoft Edge. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information and bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. An incorrect handling of objects in memory done by JScript and VBScript while rendering can be exploited remotely via a specially designed website or Microsoft Office document that hosts the IE engine to execute arbitrary code and gain privileges;
  2. An improper handling of objects in memory done by affected components can be exploited remotely via specially designed content to obtain sensitive information;
  3. An inaccurate parsing of HTTP responses can be exploited remotely via a specially designed website to spoof content or trigger another attack in web services;
  4. A type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll can be exploited remotely via vectors involving a specially designed CSS token sequence and specially designed JavaScript code working with a TH element to execute arbitrary code and possibly to cause a denial of service;
  5. An improper handling of objects in memory done by Microsoft Windows PDF can be exploited remotely via a specially designed website with malicious PDF content to execute arbitrary code;
  6. A failure in applying Same Origin Policy for HTML elements present in the other browser windows can be exploited remotely via a specially designed webpage or website to bypass security restrictions;
  7. An improper access to the objects in memorry can be exploited remotely via a specially designed website to execute arbitrary code.

Original advisories

MS17-007

CVE-2017-0065

CVE-2017-0066

CVE-2017-0067

CVE-2017-0068

CVE-2017-0069

CVE-2017-0070

CVE-2017-0071

CVE-2017-0094

CVE-2017-0037

CVE-2017-0131

CVE-2017-0132

CVE-2017-0133

CVE-2017-0134

CVE-2017-0135

CVE-2017-0136

CVE-2017-0137

CVE-2017-0138

CVE-2017-0140

CVE-2017-0141

CVE-2017-0150

CVE-2017-0151

CVE-2017-0009

CVE-2017-0010

CVE-2017-0011

CVE-2017-0012

CVE-2017-0015

CVE-2017-0017

CVE-2017-0023

CVE-2017-0032

CVE-2017-0033

CVE-2017-0034

CVE-2017-0035

Exploitation

Public exploits exist for this vulnerability.

Related products

Microsoft-Edge

CVE list

CVE-2017-0065 warning

CVE-2017-0066 warning

CVE-2017-0067 critical

CVE-2017-0068 warning

CVE-2017-0069 warning

CVE-2017-0070 critical

CVE-2017-0071 critical

CVE-2017-0094 critical

CVE-2017-0037 critical

CVE-2017-0131 critical

CVE-2017-0132 critical

CVE-2017-0133 critical

CVE-2017-0134 critical

CVE-2017-0135 warning

CVE-2017-0136 critical

CVE-2017-0137 critical

CVE-2017-0138 critical

CVE-2017-0140 warning

CVE-2017-0141 critical

CVE-2017-0150 critical

CVE-2017-0151 critical

CVE-2017-0009 warning

CVE-2017-0010 critical

CVE-2017-0011 warning

CVE-2017-0012 warning

CVE-2017-0015 critical

CVE-2017-0017 warning

CVE-2017-0023 critical

CVE-2017-0032 critical

CVE-2017-0033 warning

CVE-2017-0034 critical

CVE-2017-0035 critical

KB list

4012606

4013198

4013429

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Microsoft Edge

References

Related

openvas 3
cve 30
veracode 15
prion 31
cvelist 31
nvd 30
nessus 2
mskb 7
kaspersky 1
threatpost 1
symantec 16
seebug 3
zdt 2
mscve 15
checkpoint_advisories 5
myhack58 3
cisa_kev 1
zdi 3
openvas
openvas
Microsoft Edge Multiple Vulnerabilities (4013071)
2017-03-15 00:00:00
Microsoft Internet Explorer Multiple Vulnerabilities (4013073)
2017-03-15 00:00:00
Microsoft Edge and Internet Explorer Type Confusion RCE Vulnerability
2017-03-01 00:00:00
cve
cve
CVE-2017-0015
2017-03-17 00:59:00
CVE-2017-0067
2017-03-17 00:59:01
CVE-2017-0070
2017-03-17 00:59:01
veracode
veracode
Remote Code Execution (RCE)
2018-12-05 01:48:56
Remote Code Execution (RCE)
2018-12-05 01:59:25
Remote Code Execution (RCE)
2018-12-05 02:39:58
prion
prion
Remote code execution
2017-03-17 00:59:00
Remote code execution
2017-03-17 00:59:00
Remote code execution
2017-03-17 00:59:00
cvelist
cvelist
CVE-2017-0131
2017-03-17 00:00:00
CVE-2017-0132
2017-03-17 00:00:00
CVE-2017-0035
2017-03-17 00:00:00
nvd
nvd
CVE-2017-0151
2017-03-17 00:59:04
CVE-2017-0071
2017-03-17 00:59:01
CVE-2017-0094
2017-03-17 00:59:02
nessus
nessus
MS17-007: Cumulative Security Update for Microsoft Edge (4013071)
2017-03-14 00:00:00
MS17-006: Cumulative Security Update for Internet Explorer (4013073)
2017-03-14 00:00:00
mskb
mskb
MS17-007: Cumulative security update for Microsoft Edge: March 14, 2017
2017-03-14 00:00:00
March 14, 2017—KB4013429 (OS Build 14393.953)
2017-03-14 07:00:00
March 14, 2017—KB4013198 (OS Build 10586.839)
2017-03-14 07:00:00
kaspersky
kaspersky
KLA10967 Multiple vulnerabilities in Microsoft Browser
2017-03-14 00:00:00
threatpost
threatpost
Patch Tuesday Returns; Microsoft Quiet on Postponement
2017-03-14 15:26:24
symantec
symantec
Microsoft Edge CVE-2017-0140 Security Bypass Vulnerability
2017-03-14 00:00:00
Microsoft Edge CVE-2017-0011 Information Disclosure Vulnerability
2017-03-14 00:00:00
Microsoft Internet Explorer and Edge CVE-2017-0012 Spoofing Vulnerability
2017-03-14 00:00:00
seebug
seebug
Microsoft Edge Fetch API allows setting of arbitrary request headers (CVE-2017-0140)
2017-03-15 00:00:00
Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free (CVE-2017-0070)
2017-03-20 00:00:00
Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement (CVE-2017-0037)
2017-02-26 00:00:00
zdt
zdt
Microsoft Edge Fetch API Arbitrary Header Setting Vulnerability
2017-03-15 00:00:00
Microsoft Internet Explorer - mshtml.dll Remote Code Execution (MS17-007) Exploit
2017-07-24 00:00:00
mscve
mscve
Microsoft Browser Spoofing Vulnerability
2017-03-14 07:00:00
Microsoft Edge based on Edge HTML Information Disclosure Vulnerability
2017-03-14 07:00:00
Scripting Engine Memory Corruption Vulnerability
2017-03-14 07:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Scripting Engine Memory Corruption (MS17-007: CVE-2017-0141)
2017-03-14 00:00:00
Microsoft Scripting Engine Memory Corruption (MS17-007: CVE-2017-0070)
2017-03-14 00:00:00
Microsoft Edge Memory Corruption (MS17-007: CVE-2017-0034)
2017-03-14 00:00:00
myhack58
myhack58
CVE-2017-0135 vulnerability analysis: the use of the Edge of the browser XSS filter bypass CSP-vulnerability warning-the black bar safety net
2018-03-19 00:00:00
Type confusion vulnerability instance analysis-vulnerability warning-the black bar safety net
2019-02-21 00:00:00
CVE-2017-0037: the IE11&Edge Type Confusion from the PoC to the half of the Exploit-vulnerability warning-the black bar safety net
2017-03-21 00:00:00
cisa_kev
cisa_kev
Microsoft Edge and Internet Explorer Type Confusion Vulnerability
2022-03-28 00:00:00
zdi
zdi
Microsoft Edge CTransitionValues Out-Of-Bounds Read Information Disclosure Vulnerability
2017-03-21 00:00:00
Microsoft Windows JavaScript Spread Operator Uninitialized Memory Information Disclosure Vulnerability
2017-03-21 00:00:00
Microsoft Windows JavaScript Spread Operator Stack-based Buffer Overflow Remote Code Execution Vulnerability
2017-03-21 00:00:00

7.6 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.973 High

EPSS

Percentile

99.9%

JSON
Related for KLA10968
openvas3cve30veracode15prion31cvelist31nvd30nessus2mskb7kaspersky1threatpost1symantec16seebug3zdt2mscve15checkpoint_advisories5myhack583cisa_kev1zdi3