cnvd - cnvd-2018-03520

cnvd-2018-03520

Vulnerability from cnvd

Title: Microsoft Edge和ChakraCore远程内存破坏漏洞（CNVD-2018-03520）

Description:

Microsoft Windows 10是美国微软（Microsoft）公司发布的一套新一代跨平台操作系统。Edge是其中的一个系统附带的浏览器。ChakraCore是使用在Edge的一个开源的JavaScript引擎的核心部分，也可作为单独的JavaScript引擎使用。

Microsoft Edge和ChakraCor存在远程内存破坏漏洞。远程攻击者可利用该漏洞在当前用户的上下文中执行任意代码，造成内存破坏。

Severity: 高

Patch Name: Microsoft Edge和ChakraCore远程内存破坏漏洞（CNVD-2018-03520）的补丁

Patch Description:

Microsoft Edge和ChakraCor存在远程内存破坏漏洞。远程攻击者可利用该漏洞在当前用户的上下文中执行任意代码，造成内存破坏。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布漏洞修复程序，请及时关注更新： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856

Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856 https://www.securityfocus.com/bid/102880

Impacted products

Name
['Microsoft Windows 10 1703', 'Microsoft Windows 10 1709', 'Microsoft Edge 0', 'Microsoft ChakraCore 0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "102880"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0856"
    }
  },
  "description": "Microsoft Windows 10\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u53d1\u5e03\u7684\u4e00\u5957\u65b0\u4e00\u4ee3\u8de8\u5e73\u53f0\u64cd\u4f5c\u7cfb\u7edf\u3002Edge\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7cfb\u7edf\u9644\u5e26\u7684\u6d4f\u89c8\u5668\u3002ChakraCore\u662f\u4f7f\u7528\u5728Edge\u7684\u4e00\u4e2a\u5f00\u6e90\u7684JavaScript\u5f15\u64ce\u7684\u6838\u5fc3\u90e8\u5206\uff0c\u4e5f\u53ef\u4f5c\u4e3a\u5355\u72ec\u7684JavaScript\u5f15\u64ce\u4f7f\u7528\u3002\r\n\r\nMicrosoft Edge\u548cChakraCor\u5b58\u5728\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u9020\u6210\u5185\u5b58\u7834\u574f\u3002",
  "discovererName": "Johnathan Norman of Windows Devices Group \u00e2?? Operating System Security Team",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-03520",
  "openTime": "2018-02-26",
  "patchDescription": "Microsoft Windows 10\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u53d1\u5e03\u7684\u4e00\u5957\u65b0\u4e00\u4ee3\u8de8\u5e73\u53f0\u64cd\u4f5c\u7cfb\u7edf\u3002Edge\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7cfb\u7edf\u9644\u5e26\u7684\u6d4f\u89c8\u5668\u3002ChakraCore\u662f\u4f7f\u7528\u5728Edge\u7684\u4e00\u4e2a\u5f00\u6e90\u7684JavaScript\u5f15\u64ce\u7684\u6838\u5fc3\u90e8\u5206\uff0c\u4e5f\u53ef\u4f5c\u4e3a\u5355\u72ec\u7684JavaScript\u5f15\u64ce\u4f7f\u7528\u3002\r\n\r\nMicrosoft Edge\u548cChakraCor\u5b58\u5728\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5f53\u524d\u7528\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u9020\u6210\u5185\u5b58\u7834\u574f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Edge\u548cChakraCore\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2018-03520\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Microsoft Windows 10 1703",
      "Microsoft Windows 10 1709",
      "Microsoft Edge 0",
      "Microsoft ChakraCore 0"
    ]
  },
  "referenceLink": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856\r\nhttps://www.securityfocus.com/bid/102880",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-14",
  "title": "Microsoft Edge\u548cChakraCore\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\uff08CNVD-2018-03520\uff09"
}

CVE-2018-0856 (GCVE-0-2018-0856)

Vulnerability from cvelistv5

Published

2018-02-15 02:00

Modified

2024-09-16 20:06

Severity ?

CWE

Critical

Summary

Microsoft Edge and ChakraCore in Microsoft Windows 10 1703 and 1709 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

References

▼	URL	Tags
	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102880	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id/1040372	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	Microsoft Corporation	Microsoft Edge, ChakraCore	Version: Microsoft Windows 10 1703 and 1709.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:44:10.888Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856"
          },
          {
            "name": "102880",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102880"
          },
          {
            "name": "1040372",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040372"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Edge, ChakraCore",
          "vendor": "Microsoft Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Microsoft Windows 10 1703 and 1709."
            }
          ]
        }
      ],
      "datePublic": "2018-02-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Microsoft Edge and ChakraCore in Microsoft Windows 10 1703 and 1709 allows remote code execution, due to how the scripting engine handles objects in memory, aka \"Scripting Engine Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Critical",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-02-15T10:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856"
        },
        {
          "name": "102880",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102880"
        },
        {
          "name": "1040372",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040372"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "DATE_PUBLIC": "2018-02-13T00:00:00",
          "ID": "CVE-2018-0856",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Microsoft Edge, ChakraCore",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Microsoft Windows 10 1703 and 1709."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Microsoft Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Microsoft Edge and ChakraCore in Microsoft Windows 10 1703 and 1709 allows remote code execution, due to how the scripting engine handles objects in memory, aka \"Scripting Engine Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2018-0834, CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Critical"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856",
              "refsource": "CONFIRM",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0856"
            },
            {
              "name": "102880",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102880"
            },
            {
              "name": "1040372",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040372"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2018-0856",
    "datePublished": "2018-02-15T02:00:00Z",
    "dateReserved": "2017-12-01T00:00:00",
    "dateUpdated": "2024-09-16T20:06:40.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted