The proof of concept code that enables the remote code execution (CVE-2018-8629) of the Microsoft Edge Web Browser has been published online. The vulnerability stems from Edge’s access memory error. The vulnerability will allow an attacker to run arbitrary code on a computer with the same permissions as the logged in user.
“A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft notes in its advisory this month.
I published the PoC for CVE-2018-8629: a JIT bug in Chakra fixed in the latest security updates. It resulted in an (almost) unbounded relative R/W https://t.co/47TIYtVB8f
— Bruno Keith (@bkth_) December 27, 2018
The proof-of-concept code has 71 lines, resulting in an out-of-bounds (OOB) memory read leak, but the code can achieve even more harmful results with a simple redesign.
Microsoft solved this problem in the December Patch Tuesday and strongly recommends that users install the latest cumulative updates to ensure browsers and systems are protected from attacks.