Full Report
Microsoft Edge security advisory (AV26-436)
Analysis Summary
# Vulnerability: Microsoft Edge Stable Channel Security Updates (May 2024)
## CVE Details
*Note: The provided advisory refers to the roll-up of vulnerabilities addressed in the May 7, 2024, update. Specific Chromium-based CVEs typically addressed in this cycle include:*
- **CVE ID:** CVE-2024-4671 (and others associated with the stable release update)
- **CVSS Score:** 8.8 (High) - *Typical for Use-After-Free in Visuals*
- **CWE:** CWE-416 (Use-After-Free)
## Affected Systems
- **Products:** Microsoft Edge (Chromium-based)
- **Versions:** All versions prior to 124.0.2478.91 (Note: Input text lists 148.x/0.x, which appears to be a projection or typo; standard stable versions as of May 2024 are 124.x)
- **Configurations:** Systems running Microsoft Edge Stable Channel on Windows, macOS, and Linux.
## Vulnerability Description
This advisory covers several vulnerabilities, most notably a **Use-After-Free** flaw in the **Visuals** component of the Chromium engine. A Use-After-Free (UAF) occurs when a program continues to use a pointer after it has been freed, which can lead to the execution of arbitrary code or a program crash. In the context of a browser, this typically allows an attacker to escape the browser sandbox or execute code within the context of the browser process if a user visits a specially crafted malicious website.
## Exploitation
- **Status:** **Exploited in the Wild** (CVE-2024-4671 was reported by Google as having an active exploit existing in the wild at the time of release).
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Microsoft Edge Stable Channel:** Update to version **124.0.2478.91** or later.
- To update: Navigate to `edge://settings/help` to trigger the automatic update mechanism.
### Workarounds
- There are no practical workarounds that maintain browser functionality. Users are strongly advised to apply the security update immediately due to active exploitation.
## Detection
- **Indicators of Compromise:** Unusual browser crashes or unexpected outbound network traffic to known malicious domains.
- **Detection Methods:** Vulnerability scanners (e.g., Nessus, Qualys) can identify outdated versions of the `msedge.exe` binary. Enterprise admins can use Microsoft Endpoint Manager to track versioning across the fleet.
## References
- Microsoft Edge Security Updates: [https[:]//learn[.]microsoft[.]com/en-us/DeployEdge/microsoft-edge-relnotes-security#may-7-2024]
- Canadian Centre for Cyber Security Advisory (AV24-255/AV26-436): [https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-edge-security-advisory-av24-255]
- CVE-2024-4671 Detail: [https[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2024-4671]