KLA11318 Multiple vulnerabilities in Microsoft Browsers

Multiple vulnerabilities were found in Microsoft Browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, gain privileges, bypass security restrictions, spoof user interface.

Below is a complete list of vulnerabilities:

1. A memory corruption vulnerability in Chakra Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
2. An information disclosure vulnerability in Microsoft Scripting Engine can be exploited remotely to obtain sensitive information.
3. A memory corruption vulnerability in Scripting Engine can be exploited remotely to execute arbitrary code.
4. A memory corruption vulnerability in Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
5. An information disclosure vulnerability in Scripting Engine can be exploited remotely via specially crafted content to obtain sensitive information.
6. An elevation of privilege vulnerability in Microsoft Edge can be exploited remotely to gain privileges.
7. An information disclosure vulnerability in Microsoft Edge can be exploited remotely to obtain sensitive information.
8. A security feature bypass vulnerability in Internet Explorer can be exploited remotely to bypass security restrictions.
9. A remote code execution vulnerability in Microsoft Edge PDF can be exploited remotely via specially crafted to execute arbitrary code.
10. A memory corruption vulnerability in Internet Explorer can be exploited remotely via specially crafted website to execute arbitrary code.
11. A spoofing vulnerability in Microsoft Edge can be exploited remotely via specially crafted website to spoof user interface.

Original advisories

CVE-2018-8466

CVE-2018-8315

CVE-2018-8459

CVE-2018-8367

CVE-2018-8354

CVE-2018-8452

CVE-2018-8456

CVE-2018-8465

CVE-2018-8467

CVE-2018-8469

CVE-2018-8366

CVE-2018-8470

CVE-2018-8464

CVE-2018-8447

CVE-2018-8425

CVE-2018-8457

CVE-2018-8463

CVE-2018-8461

CVE-2018-8391

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Internet-Explorer

Microsoft-Edge

ChakraCore

CVE list

CVE-2018-8391 critical

CVE-2018-8466 critical

CVE-2018-8315 warning

CVE-2018-8459 critical

CVE-2018-8367 critical

CVE-2018-8354 critical

CVE-2018-8452 warning

CVE-2018-8456 critical

CVE-2018-8465 critical

CVE-2018-8467 critical

CVE-2018-8469 warning

CVE-2018-8366 warning

CVE-2018-8470 warning

CVE-2018-8464 critical

CVE-2018-8447 critical

CVE-2018-8425 warning

CVE-2018-8457 critical

CVE-2018-8463 warning

CVE-2018-8461 critical

KB list

4457128

4457131

4457132

4457142

4457138

4457129

4457144

4457135

4457426

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Internet Explorer 11ChakraCoreInternet Explorer 10Internet Explorer 9Microsoft Edge (EdgeHTML-based)