
====================================================================

                                     CERT-Renater

                        Note d'Information No. 2016/VULN322
_____________________________________________________________________

DATE                : 14/09/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Microsoft Edge.

=====================================================================
KB3183043
https://technet.microsoft.com/en-us/library/security/MS16-105
____________________________________________________________________

MS16-105 Cumulative Security Update for Microsoft Edge (3183043)

Executive Summary

This security update resolves vulnerabilities in Microsoft Edge. The
most severe of the vulnerabilities could allow remote code execution if
a user views a specially crafted webpage using Microsoft Edge. An
attacker who successfully exploited the vulnerabilities could gain the
same user rights as the current user. Customers whose accounts are
configured to have fewer user rights on the system could be less
impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.


Affected Software

Microsoft Edge

Vulnerability Information

Multiple Microsoft Edge Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in the way that
Microsoft Edge handles objects in memory. The vulnerabilities could
corrupt memory in a way that could allow an attacker to execute
arbitrary code in the context of the current user. An attacker who
successfully exploited the vulnerability could gain the same user
rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited the
vulnerabilities could take control of an affected system. An attacker
could then install programs; view, change, or delete data; or create
new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially
crafted website that is designed to exploit the vulnerabilities through
Microsoft Edge and then convince a user to view the website. An
attacker could also embed an ActiveX control marked "safe for
initialization" in an application or Microsoft Office document that
hosts the Edge rendering engine. The attacker could also take advantage
of compromised websites and websites that accept or host user-provided
content or advertisements. These websites could contain specially
crafted content that could exploit the vulnerabilities.

The security update addresses the vulnerabilities by modifying how
Microsoft Edge handles objects in memory.

The following table contains links to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number 	Publicly disclosed    Exploited

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3247 	No 		No

Microsoft Edge Memory
Corruption Vulnerability 	CVE-2016-3294 	No 		No

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3295 	No 		No

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3297 	No 		No

Microsoft Edge Memory
Corruption Vulnerability 	CVE-2016-3330 	No 		No


Multiple Scripting Engine Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in the way that the 
Chakra JavaScript engine renders when handling objects in memory in
Microsoft Edge. The vulnerabilities could corrupt memory in such a way
that an attacker could execute arbitrary code in the context of the
current user. An attacker who successfully exploited the
vulnerabilities could gain the same user rights as the current user. If
the current user is logged on with administrative user rights, an
attacker who successfully exploited the vulnerabilities could take
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. In a web-based attack scenario, an attacker could host a
specially crafted website that is designed to exploit the
vulnerabilities through Microsoft Edge and then convince a user to view
the website. An attacker could also embed an ActiveX control marked
"safe for initialization" in an application or Microsoft Office
document that hosts the Edge rendering engine. The attacker
could also take advantage of compromised websites, and websites that
accept or host user-provided content or advertisements. These websites
could contain specially crafted content that could exploit the
vulnerabilities.

The security update addresses the vulnerabilities by modifying how the
Chakra JavaScript scripting engine handles objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Scripting Engine Memory
Corruption Vulnerability 	CVE-2016-3350 	No 	No

Scripting Engine Memory
Corruption Vulnerability 	CVE-2016-3377 	No 	No


Microsoft Browser Information Disclosure Vulnerability CVE-2016-3291

An information disclosure vulnerability exists in the way that
Microsoft Edge handles cross-origin requests. An attacker who
successfully exploited this vulnerability could determine the origin of
all of the web pages in the affected browser.

In a web-based attack scenario, an attacker could host a website that
is used to attempt to exploit the vulnerability. Additionally,
compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could be used to
exploit the vulnerabilities. However, in all cases an attacker would
have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes
them to the attacker's site.

The security update addresses the vulnerability by correcting how
Microsoft Edge handles cross-origin resources.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3291 	No 	No


Microsoft Browser Information Disclosure Vulnerability CVE-2016-3325

An information disclosure vulnerability exists in the way that certain
functions handle objects in memory. An attacker who successfully
exploited the vulnerabilities could obtain information to further
compromise a target system.

In a web-based attack scenario an attacker could host a website that is
used to attempt to exploit the vulnerabilities. Additionally,
compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could be used to
exploit the vulnerabilities. However, in all cases an attacker would
have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes
them to the attacker's site.

The security update addresses the vulnerability by correcting how
certain functions handle objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number   Publicly disclosed 	Exploited

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3325 	No 	No


Multiple Information Disclosure Vulnerabilities

Multiple information disclosure vulnerabilities exist in the way that
the affected components handle objects in memory. An attacker who
successfully exploited the vulnerabilities could obtain information to
further compromise a target system.

In a web-based attack scenario an attacker could host a website that is
used to attempt to exploit the vulnerabilities. Additionally,
compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could be used to
exploit the vulnerabilities. However, in all cases an attacker would
have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes
them to the attacker's site.

The update addresses the vulnerabilities by correcting how the affected
components handle objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3351 	No 	No

PDF Library Information
Disclosure Vulnerability 	CVE-2016-3370 	No 	No

PDF Library Information
Disclosure Vulnerability 	CVE-2016-3374 	No 	No


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================