Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA11306
HistoryAug 14, 2018 - 12:00 a.m.

KLA11306 Multiple vulnerabilities in Microsoft Browsers

2018-08-1400:00:00
Kaspersky Lab
threats.kaspersky.com
798

7.6 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

9 High

AI Score

Confidence

Low

0.964 High

EPSS

Percentile

99.6%

JSON

Multiple vulnerabilities were found in Microsoft Browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, obtain sensitive information, bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. A memory corruption vulnerability in Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
  2. A memory corruption vulnerability in Chakra Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
  3. A memory corruption vulnerability in Scripting Engine can be exploited remotely via IMPORTANTTHING to execute arbitrary code.
  4. A memory corruption vulnerability in Microsoft Edge can be exploited remotely via specially crafted website to execute arbitrary code.
  5. An elevation of privilege vulnerability in Microsoft Browser can be exploited remotely via IMPORTANTTHING to gain privileges.
  6. A spoofing vulnerability in Microsoft Edge can be exploited remotely via specially crafted website to spoof user interface.
  7. A remote code execution vulnerability in Internet Explorer can be exploited remotely via specially crafted website to execute arbitrary code.
  8. An information disclosure vulnerability in Microsoft Browser can be exploited remotely via IMPORTANTTHING to obtain sensitive information.
  9. A memory corruption vulnerability in Microsoft Browser can be exploited remotely via specially crafted website to execute arbitrary code.
  10. An information disclosure vulnerability in Microsoft Edge can be exploited remotely via IMPORTANTTHING to obtain sensitive information.
  11. A security feature bypass vulnerability in Microsoft Edge can be exploited remotely via specially crafted website to bypass security restrictions.

Original advisories

CVE-2018-8372

CVE-2018-8385

CVE-2018-8266

CVE-2018-8380

CVE-2018-8381

CVE-2018-8355

CVE-2018-8390

CVE-2018-8387

CVE-2018-8357

CVE-2018-8353

CVE-2018-8383

CVE-2018-8377

CVE-2018-8389

CVE-2018-8316

CVE-2018-8388

CVE-2018-8371

CVE-2018-8351

CVE-2018-8373

CVE-2018-8403

CVE-2018-8370

CVE-2018-8358

CVE-2018-8384

CVE-2018-8359

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Internet-Explorer

Microsoft-Edge

ChakraCore

CVE list

CVE-2018-8384 critical

CVE-2018-8372 critical

CVE-2018-8385 critical

CVE-2018-8266 critical

CVE-2018-8380 critical

CVE-2018-8359 critical

CVE-2018-8381 critical

CVE-2018-8355 critical

CVE-2018-8390 critical

CVE-2018-8387 critical

CVE-2018-8357 high

CVE-2018-8353 critical

CVE-2018-8383 warning

CVE-2018-8377 critical

CVE-2018-8389 critical

CVE-2018-8316 critical

CVE-2018-8388 warning

CVE-2018-8371 critical

CVE-2018-8351 warning

CVE-2018-8373 critical

CVE-2018-8403 critical

CVE-2018-8370 warning

CVE-2018-8358 warning

KB list

4343909

4343885

4343887

4343892

4343897

4343898

4343899

4343900

4343205

4343901

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • ChakraCoreMicrosoft Edge (EdgeHTML-based)Internet Explorer 10Internet Explorer 9Internet Explorer 11

References

Related

nessus 9
cve 22
prion 22
osv 15
cvelist 22
nvd 22
github 10
mskb 9
attackerkb 5
veracode 4
openvas 7
talosblog 1
threatpost 1
mscve 20
symantec 13
zdi 3
checkpoint_advisories 9
exploitdb 1
exploitpack 1
zdt 1
packetstorm 1
cisa_kev 1
nessus
nessus
Security Updates for Internet Explorer (August 2018)
2018-08-14 00:00:00
KB4343909: Windows 10 Version 1803 and Windows Server Version 1803 August 2018 Security Update (Foreshadow)
2018-08-14 00:00:00
KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow)
2018-08-14 00:00:00
cve
cve
CVE-2018-8371
2018-08-15 17:29:06
CVE-2018-8390
2018-08-15 17:29:08
CVE-2018-8385
2018-08-15 17:29:08
prion
prion
Remote code execution
2018-08-15 17:29:00
Remote code execution
2018-08-15 17:29:00
Remote code execution
2018-08-15 17:29:00
osv
osv
CVE-2018-8385
2018-08-15 17:29:08
CVE-2018-8390
2018-08-15 17:29:08
ChakraCore RCE Vulnerability
2022-05-13 01:20:49
cvelist
cvelist
CVE-2018-8359
2018-08-15 17:00:00
CVE-2018-8372
2018-08-15 17:00:00
CVE-2018-8385
2018-08-15 17:00:00
nvd
nvd
CVE-2018-8371
2018-08-15 17:29:06
CVE-2018-8359
2018-08-15 17:29:06
CVE-2018-8353
2018-08-15 17:29:05
github
github
ChakraCore RCE Vulnerability
2022-05-13 01:20:49
ChakraCore RCE Vulnerability
2022-05-13 01:20:49
ChakraCore RCE Vulnerability
2022-05-13 01:20:49
mskb
mskb
Cumulative security update for Internet Explorer: August 14, 2018
2018-08-14 07:00:00
August 14, 2018—KB4343909 (OS Build 17134.228)
2018-08-14 07:00:00
August 14, 2018—KB4343892 (OS Build 10240.17946)
2018-08-14 07:00:00
attackerkb
attackerkb
CVE-2018-8373
2018-08-15 00:00:00
CVE-2018-8390
2018-08-15 00:00:00
CVE-2018-8389
2018-08-15 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2018-08-16 09:38:32
Remote Code Execution (RCE)
2018-08-16 08:16:09
Arbitrary Code Execution
2018-08-16 07:48:08
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4343887)
2018-08-15 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4343909)
2018-08-15 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4343897)
2018-08-15 00:00:00
talosblog
talosblog
Microsoft Tuesday August 2018
2018-08-14 11:26:00
threatpost
threatpost
Patch Tuesday: Microsoft Addresses Two Zero-Days in 60-Flaw Roundup
2018-08-14 20:42:41
mscve
mscve
Microsoft Edge Security Feature Bypass Vulnerability
2018-08-14 07:00:00
Internet Explorer Remote Code Execution Vulnerability
2018-08-14 07:00:00
Microsoft Edge Memory Corruption Vulnerability
2018-08-14 07:00:00
symantec
symantec
Microsoft Internet Explorer CVE-2018-8316 Remote Code Execution Vulnerability
2018-08-14 00:00:00
Microsoft Edge CVE-2018-8358 Security Bypass Vulnerability
2018-08-14 00:00:00
Microsoft Edge Chakra Scripting Engine CVE-2018-8380 Remote Memory Corruption Vulnerability
2018-08-14 00:00:00
zdi
zdi
Microsoft Office Word Preview Unsafe Hyperlink Remote Code Execution Vulnerability
2018-08-14 00:00:00
Microsoft Windows VBScript Class_Terminate Use After Free Remote Code Execution Vulnerability
2018-08-14 00:00:00
Microsoft Windows VBScript Array Use-After-Free Remote Code Execution Vulnerability
2018-08-14 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Chakra Scripting Engine Memory Corruption (CVE-2018-8266)
2018-08-14 00:00:00
Microsoft Internet Explorer Scripting Engine Memory Corruption (CVE-2018-8371)
2018-08-14 00:00:00
Microsoft Edge Memory Corruption (CVE-2018-8387)
2018-08-14 00:00:00
exploitdb
exploitdb
Microsoft Edge Chakra - OP_Memset Type Confusion
2018-11-19 00:00:00
exploitpack
exploitpack
Microsoft Edge Chakra - OP_Memset Type Confusion
2018-11-19 00:00:00
zdt
zdt
Microsoft Windows - JScript RegExp.lastIndex Use-After-Free Exploit
2018-08-28 00:00:00
packetstorm
packetstorm
Microsoft Edge Chakra OP_Memset Type Confusion
2018-11-19 00:00:00
cisa_kev
cisa_kev
Microsoft Scripting Engine Memory Corruption Vulnerability
2022-03-25 00:00:00

7.6 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

9 High

AI Score

Confidence

Low

0.964 High

EPSS

Percentile

99.6%

JSON
Related for KLA11306
nessus9cve22prion22osv15cvelist22nvd22github10mskb9attackerkb5veracode4openvas7talosblog1threatpost1mscve20symantec13zdi3checkpoint_advisories9exploitdb1exploitpack1zdt1packetstorm1cisa_kev1