DIESER SERVICE KANN ÜBERSETZUNGEN VON GOOGLE ENTHALTEN. GOOGLE ÜBERNIMMT KEINERLEI VERANTWORTUNG FÜR DIE ÜBERSETZUNGEN. DARUNTER FÄLLT JEGLICHE VERANTWORTUNG IN BEZUG AUF RICHTIGKEIT UND ZUVERLÄSSIGKEIT SOWIE JEGLICHE STILLSCHWEIGENDEN GEWÄHRLEISTUNGEN DER MARKTGÄNGIGKEIT, NICHT-VERLETZUNG VON RECHTEN DRITTER ODER DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK.

Die Website von Kaspersky Lab wurde für Ihre Bequemlichkeit mithilfe einer Übersetzungssoftware von Google Translate übersetzt. Es wurden angemessene Bemühungen für die Bereitstellung einer akkuraten Übersetzung unternommen. Bitte beachten Sie, dass automatisierte Übersetzungen nicht perfekt sind und menschliche Übersetzer in keinem Fall ersetzen sollen. Übersetzungen werden den Nutzern der Kaspersky-Lab-Website als Service und "wie sie sind" zur Verfügung gestellt. Die Richtigkeit, Zuverlässigkeit oder Korrektheit jeglicher Übersetzungen aus dem Englischen in eine andere Sprache wird weder ausdrücklich noch stillschweigend garantiert. Einige Inhalte (z. B. Bilder, Videos, Flash, usw.) können aufgrund der Einschränkungen der Übersetzungssoftware möglicherweise nicht inhaltsgetreu übersetzt werden.

KLA11084
Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer
Aktualisiert: 03/29/2019
Erkennungsdatum
?
08/08/2017
Schweregrad
?
Kritisch
Beschreibung

Multiple serious vulnerabilities have been found in Microsoft Internet Explorer and Microsoft Edge. Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions, execute arbitrary code and obtain sensitive information.

Below is a complete list of vulnerabilities:

  1. An incorrect handling of sandboxing in Microsoft Edge can be exploited locally to gain privileges;
  2. An improper validation of UMCI (User Mode Code Integrity) policies can be exploited locally by convincing a user to visit a specially designed website and run a malicious application to bypass security restrictions;
  3. Multiple vulnerabilities related to improper handling of objects in memory in JavaScript engines can be exploited remotely via a specially designed website, Microsoft Office document that hosts the browser rendering engine or embedded ActiveX control marked “safe for initialization” in an application to execute arbitrary code;
  4. The ACG (Arbitrary Code Guard) bypass vulnerability related to an improper handling of accessing memory in code which is compiled by the Microsoft Edge JIT (Just-In-Time) compiler can be exploited remotely via a specially designed website to bypass security restrictions;
  5. An improper validation and sanitizing of JavaScript parameters in Microsoft Edge can be exploited remotely by convincing a user to click a specially designed link hosted on a malicious website to gain privileges;
  6. Multiple vulnerabilities related to an incorrect handling of objects in memory in certain functions in Microsoft Edge can be exploited remotely by convincing a user to view a specially designed website to obtain sensitive information;
  7. An improper enforcing of cross-domain policies in Microsoft Edge can be exploited remotely by convincing a user to load a specially designed page or visit a malicious website to bypass security restrictions;
  8. An incorrect handling of objects in memory in Microsoft Internet Explorer can be exploited remotely by convincing a user to view a specially designed website to execute arbitrary code;
  9. Multiple vulnerabilities related to an improper handling of objects in memory can be exploited remotely by convincing a user to view a specially designed website to execute arbitrary code;
  10. An incorrect handling of objects in memory in certain functions in the Chakra scripting engine can be exploited remotely by convincing a user to view a specially designed website to obtain sensitive information;
  11. An incorrect handling of objects in memory in Microsoft scripting engines in Microsoft Edge can be exploited remotely via a specially designed website, Microsoft Office document that hosts the browser rendering engine or embedded ActiveX control marked “safe for initialization” in an application to execute arbitrary code;
  12. An improper validation of strings in affected scenarios can be exploited remotely via a specially designed website to obtain sensitive information;
  13. Multiple vulnerabilities related to an improper handling of objects in memory in Microsoft Edge can be exploited remotely by convincing a user to view a specially designed website to execute arbitrary code;
  14. An improper handling of objects in memory in the Chakra JavaScript scripting engine can be exploited remotely to execute arbitrary code.

Technical details

To exploit vulnerabilities (9) and (13), an attacker can send an URL to the malicious website via email or instant message.

Exploit of vulnerability (12) allows attackers to get sensitive data from memory and possibly bypass ASLR (Address Space Layout Randomization).

Beeinträchtigte Produkte

Microsoft Internet Explorer versions 9 through 11
Microsoft Edge

Lösung

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Ursprüngliche Informationshinweise

CVE-2017-8647
CVE-2017-8646
CVE-2017-8645
CVE-2017-8644
CVE-2017-8625
CVE-2017-8642
CVE-2017-8641
CVE-2017-8640
CVE-2017-8669
CVE-2017-8661
CVE-2017-8662
CVE-2017-8503
CVE-2017-8638
CVE-2017-8639
CVE-2017-8636
CVE-2017-8637
CVE-2017-8634
CVE-2017-8635
CVE-2017-8655
CVE-2017-8656
CVE-2017-8657
CVE-2017-8650
CVE-2017-8651
CVE-2017-8652
CVE-2017-8653
CVE-2017-8672
CVE-2017-8670
CVE-2017-8671
CVE-2017-8659
CVE-2017-8674
CVE-2017-8503
CVE-2017-8634
CVE-2017-8635
CVE-2017-8636
CVE-2017-8637
CVE-2017-8638
CVE-2017-8639
CVE-2017-8640
CVE-2017-8641
CVE-2017-8642
CVE-2017-8644
CVE-2017-8645
CVE-2017-8646
CVE-2017-8647
CVE-2017-8651
CVE-2017-8652
CVE-2017-8653
CVE-2017-8655
CVE-2017-8656
CVE-2017-8657
CVE-2017-8659
CVE-2017-8661
CVE-2017-8662
CVE-2017-8669
CVE-2017-8670
CVE-2017-8671
CVE-2017-8672
CVE-2017-8674

Folgen
?
ACE 
[?]

OSI 
[?]

SB 
[?]

PE 
[?]
CVE-IDS
?
CVE-2017-85034.6Critical
CVE-2017-86256.8Critical
CVE-2017-86347.6Critical
CVE-2017-86357.6Critical
CVE-2017-86367.6Critical
CVE-2017-86372.6Critical
CVE-2017-86387.6Critical
CVE-2017-86397.6Critical
CVE-2017-86407.6Critical
CVE-2017-86417.6Critical
CVE-2017-86424.3Critical
CVE-2017-86444.3Critical
CVE-2017-86457.6Critical
CVE-2017-86467.6Critical
CVE-2017-86477.6Critical
CVE-2017-86505.8Critical
CVE-2017-86517.6Critical
CVE-2017-86524.3Critical
CVE-2017-86537.6Critical
CVE-2017-86557.6Critical
CVE-2017-86567.6Critical
CVE-2017-86577.6Critical
CVE-2017-86594.3Critical
CVE-2017-86617.6Critical
CVE-2017-86624.3Critical
CVE-2017-86697.6Critical
CVE-2017-86707.6Critical
CVE-2017-86717.6Critical
CVE-2017-86727.6Critical
CVE-2017-86747.6Critical
Offizielle Informationshinweise von Microsoft
Microsoft Sicherheitsupdate-Guide
KB-Liste

4034668
4034733
4034674
4034681
4034658
4034660
4034665
4034664


Link zum Original