.webp)
Summary
Three vulnerabilities were patched in the recent Edge release. Two are Remote Code Execution vulnerabilities and are considered a Type Confusion in V8, they allow a remote attacker to exploit heap corruption via a crafted HTML page. These vulnerabilities are CVE-2024-1939 and CVE-2024-1938. The other vulnerability is a low severity information disclosure vulnerability present in Microsoft Edge for Android. It is classified as CVE-2024-26186. These vulnerabilities are fixed in the latest Microsoft Edge Stable Channel, 122.0.2363.63.
Impact Assessment
No CVSS scores were supplied for the type confusion in V8 vulnerabilities, but typically these are high severity. They also require the attacker to specifically craft an HTML webpage and for that webpage to be opened on the victim’s machine. The low severity information disclosure only applies to Edge for Android.
Overall this is a typical Edge release with no actively exploited vulnerabilities associated with the security update.
What It Means for You
It is advised to apply the patch to Edge as soon as possible. If you or your organization uses Microsoft Edge as the browser of choice apply the updates promptly. Typically these updates have little to no impact on day-to-day operations.
Remediation
Update to Edge version 122.0.2363.63 or later for remediation. A manual update can be applied by navigating to the top right of the browser, selecting the three dots, selecting settings, on the left settings tab select “About Microsoft Edge”. This should download the update, restarting the browser is required for it to be applied.
Business Implications
Exploitation of these vulnerabilities can potentially allow for information disclosure and remote code execution. This could result in monetary loss, data loss, and business inefficiencies as a result of triage and incident response.
Access Point Technology Recommends
Patch: Perform updates on browsers as soon as possible. This can be done in an automated manner to help expedite the process.
Monitor and Block: To exploit the high severity vulnerabilities from this release, they require a user to navigate to a specifically crafted HTML page. If these pages can be reviewed and blocked before they can reach the end user, it will prevent exploitation.
Associated Bulletins
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1939
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-1938
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26196
.jpg)
