.webp)
Three vulnerabilities were patched in the recent Edge release. Two are Remote Code Execution vulnerabilities and are considered a Type Confusion in V8, they allow a remote attacker to exploit heap corruption via a crafted HTML page. These vulnerabilities are CVE-2024-1939 and CVE-2024-1938. The other vulnerability is a low severity information disclosure vulnerability present in Microsoft Edge for Android. It is classified as CVE-2024-26186. These vulnerabilities are fixed in the latest Microsoft Edge Stable Channel, 122.0.2363.63.
No CVSS scores were supplied for the type confusion in V8 vulnerabilities, but typically these are high severity. They also require the attacker to specifically craft an HTML webpage and for that webpage to be opened on the victim’s machine. The low severity information disclosure only applies to Edge for Android.
Overall this is a typical Edge release with no actively exploited vulnerabilities associated with the security update.
It is advised to apply the patch to Edge as soon as possible. If you or your organization uses Microsoft Edge as the browser of choice apply the updates promptly. Typically these updates have little to no impact on day-to-day operations.
Update to Edge version 122.0.2363.63 or later for remediation. A manual update can be applied by navigating to the top right of the browser, selecting the three dots, selecting settings, on the left settings tab select “About Microsoft Edge”. This should download the update, restarting the browser is required for it to be applied.
Exploitation of these vulnerabilities can potentially allow for information disclosure and remote code execution. This could result in monetary loss, data loss, and business inefficiencies as a result of triage and incident response.
Patch: Perform updates on browsers as soon as possible. This can be done in an automated manner to help expedite the process.
Monitor and Block: To exploit the high severity vulnerabilities from this release, they require a user to navigate to a specifically crafted HTML page. If these pages can be reviewed and blocked before they can reach the end user, it will prevent exploitation.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1939
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1938
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26196
On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.
As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
