KLA12495 Multiple vulnerabilities in Microsoft Browser

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, gain privileges, spoof user interface.

Below is a complete list of vulnerabilities:

1. Use after free vulnerability in Portals can be exploited to cause denial of service or execute arbitrary code.
2. Implementation vulnerability in Web Share API can be exploited to cause denial of service.
3. Use after free in WebRTC vulnerability can be exploited to cause denial of service or execute arbitrary code.
4. Insufficient validation of untrusted input in WebOTP can be exploited to cause denial of service.
5. An elevation of privilege vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to gain privileges.
6. Implementation vulnerability in Resource Timing can be exploited to cause denial of service.
7. Use after free vulnerability in Extensions can be exploited to cause denial of service or execute arbitrary code.
8. Use after free vulnerability in QR Code Generator can be exploited to cause denial of service or execute arbitrary code.
9. Implementation in Extensions can be exploited to cause denial of service.
10. Use after free vulnerability in Tab Strip can be exploited to cause denial of service or execute arbitrary code.
11. Implementation vulnerability in Background Fetch API can be exploited to cause denial of service.
12. A spoofing vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to spoof user interface.
13. Use after free vulnerability in Shopping Cart can be exploited to cause denial of service or execute arbitrary code.
14. Implementation vulnerability in Web Cursor can be exploited to cause denial of service.
15. Heap buffer overflow vulnerability in WebUI can be exploited to cause denial of service.
16. Type confusion vulnerability in V8 can be exploited to cause denial of service.
17. Use after free vulnerability in Cast UI can be exploited to cause denial of service or execute arbitrary code.
18. Implementation vulnerability in Full Screen Mode can be exploited to cause denial of service.

Original advisories

CVE-2022-1125

CVE-2022-1128

CVE-2022-1133

CVE-2022-1130

CVE-2022-26894

CVE-2022-1146

CVE-2022-1145

CVE-2022-1127

CVE-2022-1137

CVE-2022-26891

CVE-2022-1136

CVE-2022-26908

CVE-2022-26912

CVE-2022-1139

CVE-2022-24523

CVE-2022-1135

CVE-2022-1138

CVE-2022-1143

CVE-2022-26895

CVE-2022-26900

CVE-2022-1134

CVE-2022-1131

CVE-2022-24475

CVE-2022-1129

CVE-2022-26909

Related products

Microsoft-Edge

CVE list

CVE-2022-1143 critical

CVE-2022-1133 critical

CVE-2022-1134 critical

CVE-2022-1138 high

CVE-2022-1136 critical

CVE-2022-1127 critical

CVE-2022-1135 critical

CVE-2022-1129 high

CVE-2022-1139 high

CVE-2022-1137 high

CVE-2022-1130 critical

CVE-2022-1128 high

CVE-2022-1125 critical

CVE-2022-1146 high

CVE-2022-1145 critical

CVE-2022-1131 critical

CVE-2022-26894 critical

CVE-2022-26891 critical

CVE-2022-26908 critical

CVE-2022-26912 critical

CVE-2022-24523 warning

CVE-2022-26895 critical

CVE-2022-26900 critical

CVE-2022-24475 critical

CVE-2022-26909 critical

KB list

Solution

Install necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option)

Microsoft Edge update settings

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Edge (Chromium-based)