Vulnerability details
Advisory: SB2016101104 - Multiple vulnerabilities in Microsoft Edge
Vulnerable component: Microsoft Edge
CVE-ID: CVE-2016-7189
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-119 - Memory corruption
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into downloading it, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability will result in arbitrary code execution.
Note: the vulnerability was being actively exploited.
Public Exploits:
- Microsoft Edge - 'Array.join' Infomation Leak (MS16-119) [Exploit-DB]
External links:
https://technet.microsoft.com/library/security/ms16-119
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-october-2016-p...
http://www.slideshare.net/LANDESK/october2016-patchtuesdayshavlik
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
http://www.dailystar.co.uk/tech/news/553358/Microsoft-Windows-10-critical-flaws-security-update-fix-...