.webp)
Three vulnerabilities were patched in the recent Edge release. Two are Remote Code Execution vulnerabilities and are considered a Type Confusion in V8, they allow a remote attacker to exploit heap corruption via a crafted HTML page. These vulnerabilities are CVE-2024-1939 and CVE-2024-1938. The other vulnerability is a low severity information disclosure vulnerability present in Microsoft Edge for Android. It is classified as CVE-2024-26186. These vulnerabilities are fixed in the latest Microsoft Edge Stable Channel, 122.0.2363.63.
No CVSS scores were supplied for the type confusion in V8 vulnerabilities, but typically these are high severity. They also require the attacker to specifically craft an HTML webpage and for that webpage to be opened on the victim’s machine. The low severity information disclosure only applies to Edge for Android.
Overall this is a typical Edge release with no actively exploited vulnerabilities associated with the security update.
It is advised to apply the patch to Edge as soon as possible. If you or your organization uses Microsoft Edge as the browser of choice apply the updates promptly. Typically these updates have little to no impact on day-to-day operations.
Update to Edge version 122.0.2363.63 or later for remediation. A manual update can be applied by navigating to the top right of the browser, selecting the three dots, selecting settings, on the left settings tab select “About Microsoft Edge”. This should download the update, restarting the browser is required for it to be applied.
Exploitation of these vulnerabilities can potentially allow for information disclosure and remote code execution. This could result in monetary loss, data loss, and business inefficiencies as a result of triage and incident response.
Patch: Perform updates on browsers as soon as possible. This can be done in an automated manner to help expedite the process.
Monitor and Block: To exploit the high severity vulnerabilities from this release, they require a user to navigate to a specifically crafted HTML page. If these pages can be reviewed and blocked before they can reach the end user, it will prevent exploitation.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1939
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1938
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26196
In December 2020, Ticketmaster was hit with a $10 million fine for an act of corporate espionage. The company had engaged in unauthorized access to a competitor's computer systems, using stolen login credentials to gather confidential business intelligence. Although this scandal broke nearly four years ago, it serves as a reminder of the legal and ethical responsibilities businesses must adhere to in today’s marketplace.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
