CVE-2019-0771

Vulnerability

Overview CVE-2019-0771 is a remote code execution vulnerability in the scripting engine of Microsoft Edge (ChakraCore). The flaw occurs when the scripting engine improperly handles objects in memory, leading to memory corruption [1]. This vulnerability is part of a group of similar scripting engine issues disclosed in April 2019.

Exploitation

An attacker could exploit this vulnerability by hosting a specially crafted website that triggers the memory corruption when viewed in Microsoft Edge. No user interaction beyond browsing to the malicious site is required, though social engineering may be used to direct victims to the target [1,2]. The attacker must convincingly host the malicious content, but no elevated privileges are needed on the target system.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. This could lead to full system compromise, including installation of programs, data manipulation, or creation of new accounts with user rights. The vulnerability is rated high severity due to the potential for remote code execution without authentication [1,2].

Mitigation

Microsoft released a security update as part of its April 2019 Patch Tuesday, addressing the vulnerability by correcting how the scripting engine handles objects in memory. All affected versions of Microsoft Edge and the standalone ChakraCore library (versions prior to 1.11.7) should be updated to mitigate the risk [2].