Multiple vulnerabilities in Microsoft Edge (Chromium-based)



Risk High
Patch available YES
Number of vulnerabilities 16
CVE-ID CVE-2021-4062
CVE-2021-4068
CVE-2021-4067
CVE-2021-4066
CVE-2021-4065
CVE-2021-4064
CVE-2021-4063
CVE-2021-4061
CVE-2021-4052
CVE-2021-4059
CVE-2021-4058
CVE-2021-4057
CVE-2021-4056
CVE-2021-4055
CVE-2021-4054
CVE-2021-4053
CWE-ID CWE-122
CWE-20
CWE-416
CWE-191
CWE-843
CWE-451
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Microsoft Edge
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU58543

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4062

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in BFCache. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1272403
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4062


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU58548

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4068

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a improper input validation in new tab page in Google Chrome. A remote attacker can trick the victim to perform certain actions in browser and crash it.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1265197
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4068


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU58547

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4067

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the window manager component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1274641
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4067


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Integer underflow

EUVDB-ID: #VU58549

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4066

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer underflow. A remote attacker can send a specially crafted request to the affected application, trigger integer underflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1274499
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4066


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU58546

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4065

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the autofill component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1273674
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4065


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU58545

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4064

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the screen capture component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1273197
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4064


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use-after-free

EUVDB-ID: #VU58544

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4063

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the developer tools component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1273176
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4063


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Type Confusion

EUVDB-ID: #VU58542

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4061

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1271456
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4061


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

EUVDB-ID: #VU58534

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4052

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the web apps component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1267661
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4052


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

EUVDB-ID: #VU58541

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4059

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in loader in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1270990
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4059


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Heap-based buffer overflow

EUVDB-ID: #VU58540

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4058

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in ANGLE. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1267496
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4058


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU58539

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4057

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the file API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1262183
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4057


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Type Confusion

EUVDB-ID: #VU58538

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4056

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the loader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1260939
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4056


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Heap-based buffer overflow

EUVDB-ID: #VU58537

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4055

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in extensions. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1266510
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4055


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Spoofing attack

EUVDB-ID: #VU58536

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4054

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1239760
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4054


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

EUVDB-ID: #VU58535

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4053

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the UI component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 96.0.1054.43

CPE2.3 External links

http://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html
http://crbug.com/1267791
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-4053


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###