Microsoft has released a critical security update for its Edge browser to address multiple vulnerabilities, including a severe validation flaw that could allow attackers to execute arbitrary code on affected systems.
The update, released on August 1, 2024, patches three significant vulnerabilities in Microsoft Edge versions prior to 127.0.2651.86:
- CVE-2024-7256: Insufficient data validation in Dawn component (High severity)
- CVE-2024-6990: Uninitialized Use in Dawn component (Critical severity)
- CVE-2024-7255: Out of bounds read in WebTransport feature (High severity)
The most severe of these, CVE-2024-7256, is a validation flaw in the Dawn graphics component that could allow an attacker to execute arbitrary code on a victim’s system. This vulnerability was reported by a security researcher known as “gelatin dessert” on July 23, 2024.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Microsoft has assigned a “Critical” severity rating to CVE-2024-6990, which involves an uninitialized use vulnerability in the Dawn component. This flaw could potentially lead to out-of-bounds memory access.
The third vulnerability, CVE-2024-7255, affects the WebTransport feature and could allow attackers to perform out-of-bounds memory read operations.
These security issues affect Microsoft Edge versions running on Windows, macOS, and Linux operating systems. Users are strongly advised to update their browsers to the latest version (127.0.2651.86 or later) as soon as possible to mitigate these risks.
To update Microsoft Edge, users can typically rely on the browser’s automatic update feature. However, manual updates can be performed by navigating to the browser’s settings and checking for updates.
It’s worth noting that Microsoft Edge’s enhanced security mode feature may provide some protection against these vulnerabilities. Users are encouraged to enable this feature for additional security.
As always, users must keep their software up-to-date and be cautious when browsing potentially malicious websites or interacting with suspicious content online.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access