Kaspersky LabKLA11954KLA11954 Multiple vulnerabilities in Microsoft Browsers
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.4 Medium
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%
Multiple vulnerabilities were found in Microsoft browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges.
Below is a complete list of vulnerabilities:
- A memory corruption vulnerability in Scripting Engine can be exploited remotely to execute arbitrary code.
- A memory corruption vulnerability in Internet Explorer Browser Helper Object (BHO) can be exploited remotely via specially crafted website to execute arbitrary code.
- An elevation of privilege vulnerability in WinINet API can be exploited remotely via specially crafted website to gain privileges.
- An elevation of privilege vulnerability in Windows Start-Up Application can be exploited remotely via specially crafted website to gain privileges.
- A memory corruption vulnerability in Microsoft Browser can be exploited remotely via specially crafted website to execute arbitrary code.
Original advisories
Related products
CVE list
CVE-2020-0878 warning
CVE-2020-1057 warning
CVE-2020-1172 warning
CVE-2020-16884 warning
CVE-2020-1180 warning
CVE-2020-1012 critical
CVE-2020-1506 high
KB list
Solution
Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
Affected Products
- ChakraCoreMicrosoft Edge (Chromium-based)Internet Explorer 11Microsoft Edge (EdgeHTML-based)Internet Explorer 9
References
support.microsoft.com/kb/4570333
support.microsoft.com/kb/4571756
support.microsoft.com/kb/4574727
support.microsoft.com/kb/4577010
support.microsoft.com/kb/4577015
support.microsoft.com/kb/4577032
support.microsoft.com/kb/4577038
support.microsoft.com/kb/4577041
support.microsoft.com/kb/4577049
support.microsoft.com/kb/4577051
support.microsoft.com/kb/4577066
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0878
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1012
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1057
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1172
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1180
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1506
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-16884
statistics.securelist.com/
threats.kaspersky.com/en/product/ChakraCore/
threats.kaspersky.com/en/product/Microsoft-Edge/
threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.4 Medium
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%