KLA11290 Multiple vulnerabilities in Microsoft Edge and Internet Explorer

Multiple vulnerabilities were found in Microsoft Edge and Internet Explorer. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, obtain sensitive information, bypass security restrictions, gain privileges.

Below is a complete list of vulnerabilities:

1. A security feature bypass vulnerability in Internet Explorer can be exploited remotely to bypass security restrictions.
2. A spoofing vulnerability in Microsoft Edge can be exploited remotely to spoof user interface.
3. A memory corruption vulnerability in Scripting Engine can be exploited remotely to execute arbitrary code.
4. A memory corruption vulnerability in Chakra Scripting Engine can be exploited remotely to execute arbitrary code.
5. A memory corruption vulnerability in Microsoft Edge can be exploited remotely to execute arbitrary code.
6. A memory corruption vulnerability in Microsoft Edge can be exploited remotely to obtain sensitive information.
7. An information disclosure vulnerability in Microsoft Edge based on Edge HTML can be exploited remotely to obtain sensitive information.
8. A security feature bypass vulnerability in Scripting Engine can be exploited remotely to bypass security restrictions.

Original advisories

CVE-2018-0949

CVE-2018-8278

CVE-2018-8242

CVE-2018-8286

CVE-2018-8279

CVE-2018-8324

CVE-2018-8294

CVE-2018-8296

CVE-2018-8297

CVE-2018-8262

CVE-2018-8125

CVE-2018-8276

CVE-2018-8280

CVE-2018-8290

CVE-2018-8274

CVE-2018-8325

CVE-2018-8301

CVE-2018-8289

CVE-2018-8288

CVE-2018-8291

CVE-2018-8275

CVE-2018-8287

CVE-2018-8298

CVE-2018-8283

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Internet-Explorer

Microsoft-Edge

ChakraCore

CVE list

CVE-2018-0949 warning

CVE-2018-8278 high

CVE-2018-8242 critical

CVE-2018-8286 critical

CVE-2018-8279 critical

CVE-2018-8324 warning

CVE-2018-8294 critical

CVE-2018-8296 critical

CVE-2018-8297 warning

CVE-2018-8262 critical

CVE-2018-8125 critical

CVE-2018-8276 warning

CVE-2018-8280 critical

CVE-2018-8290 critical

CVE-2018-8274 critical

CVE-2018-8325 warning

CVE-2018-8301 critical

CVE-2018-8289 warning

CVE-2018-8288 critical

CVE-2018-8291 critical

CVE-2018-8275 critical

CVE-2018-8287 critical

CVE-2018-8298 critical

CVE-2018-8283 critical

KB list

4338830

4338815

4338825

4338814

4338818

4338829

4338819

4338826

4345421

4345419

4338816

4345455

4338831

4345459

4345420

4345424

4338821

4345425

4345418

4339093

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Internet Explorer 10Internet Explorer 11Microsoft Edge (EdgeHTML-based)ChakraCore