Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Edge Flaws Disclosed at Pwn2Own

Microsoft this week patched several memory corruption vulnerabilities in the Edge web browser that were disclosed at the 2017 Pwn2Own hacking competition.

Microsoft this week patched several memory corruption vulnerabilities in the Edge web browser that were disclosed at the 2017 Pwn2Own hacking competition.

The white hat hackers who signed up for this year’s Pwn2Own earned a total of more than $800,000 for vulnerabilities in Windows, macOS, Ubuntu, Safari, Firefox, Edge, Flash Player, Adobe Reader, and VMware Workstation.

VMware, Mozilla, Adobe, Apple and Linux kernel developers addressed the flaws affecting their products in March and April, and Microsoft has now also started releasing patches. The Zero Day Initiative (ZDI), which organizes Pwn2Own, published six advisories on Wednesday for each of the security holes fixed by Microsoft.

The vulnerabilities affect the scripting engines used by Edge, including the Chakra JavaScript engine, and they can lead to privilege escalation, information disclosure and remote code execution. The following CVE identifiers have been assigned: CVE-2017-0233, CVE-2017-0234, CVE-2017-0240, CVE-2017-0238 and CVE-2017-0228.

According to ZDI, the use-after-free and heap-based buffer overflow vulnerabilities are related to the handling of Array, AudioBuffer, Array.unshift and ArrayBuffer objects. An attacker can exploit the flaws by getting the targeted user to visit a malicious website or open a specially crafted file.

Each of the vulnerabilities patched this week by Microsoft has a severity rating of “medium” in the ZDI advisories, with CVSS scores ranging from 4.3 to 6.9. Microsoft has assigned “critical” severity ratings to only two of the flaws: CVE-2017-0228 and CVE-2017-0240.

While not particularly dangerous on their own, some of the weaknesses can be highly valuable for attackers when combined with other bugs, as researchers demonstrated at the Pwn2Own competition.

Advertisement. Scroll to continue reading.

There is no evidence that any of these flaws have been exploited in the wild, and exploits have not been released by the experts who found them.

Pwn2Own participants also disclosed several Windows vulnerabilities, including ones leveraged in exploit chains targeting Adobe products and web browsers, but it’s unclear if the Windows flaws have been patched as well.

Microsoft released patches for more than 50 vulnerabilities this week, including four zero-days that have been exploited in attacks by profit-driven cybercriminals and cyber espionage groups linked to Russia.

Related Reading: Microsoft Edge to Block Flash by Default

Related Reading: Microsoft Adds Virtualization-based Security to Edge Browser

Related Reading: Microsoft Edge Tops Browser Protection Tests

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.