Lucene search

Kaspersky LabKLA20163

HistoryJan 12, 2023 - 12:00 a.m.

KLA20163 Multiple vulnerabilities in Microsoft Browser

2023-01-1200:00:00

Kaspersky Lab

threats.kaspersky.com

microsoft browser

malicious users

denial of service

gain privileges

execute arbitrary code

file system api

fullscreen api

permission prompts

iframe sandbox

untrusted input

downloads

policy enforcement

cors

elevation of privilege

microsoft edge

use after free

cart

heap buffer overflow

network service

remote code execution

libphonenumber

cve-2023-0130

cve-2023-0132

cve-2023-0131

cve-2023-0139

cve-2023-0133

cve-2023-0140

cve-2023-0131

cve-2023-0141

cve-2023-21796

cve-2023-0136

cve-2023-0134

cve-2023-0129

cve-2023-0135

cve-2023-21775

cve-2023-0138

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.019

Percentile

88.6%

JSON

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code.

Below is a complete list of vulnerabilities:

Implementation vulnerability in File System API can be exploited to cause denial of service.
Implementation vulnerability in Fullscreen API can be exploited to cause denial of service.
Implementation vulnerability in Permission prompts can be exploited to cause denial of service.
Implementation vulnerability in iframe Sandbox can be exploited to cause denial of service.
Validation of untrusted input vulnerability in Downloads can be exploited to cause denial of service.
Policy enforcement vulnerability in CORS can be exploited to cause denial of service.
An elevation of privilege vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to gain privileges.
Use after free vulnerability in Cart can be exploited to cause denial of service or execute arbitrary code.
Heap buffer overflow vulnerability in Network Service can be exploited to cause denial of service.
A remote code execution vulnerability in Microsoft Edge (Chromium-based) can be exploited remotely to execute arbitrary code.
Heap buffer overflow vulnerability in libphonenumber can be exploited to cause denial of service.

Original advisories

Related products

Microsoft-Edge

CVE list

CVE-2023-0129 critical

CVE-2023-0132 high

CVE-2023-0136 critical

CVE-2023-0133 high

CVE-2023-0140 high

CVE-2023-0131 high

CVE-2023-0138 critical

CVE-2023-0135 critical

CVE-2023-0134 critical

CVE-2023-0130 high

CVE-2023-0141 warning

CVE-2023-0139 high

CVE-2023-21796 critical

CVE-2023-21775 critical

KB list

Solution

Install necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option)

Microsoft Edge update settings

Impacts

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.