CVE-2019-0773

Vulnerability

Overview

CVE-2019-0773 is a remote code execution vulnerability in the scripting engine (ChakraCore) used by Microsoft Edge. The bug is a memory corruption flaw that occurs when the scripting engine improperly handles objects in memory. [1] This vulnerability belongs to a cluster of seven similar scripting engine memory corruption CVEs disclosed on the same day, each with a unique CVE identifier. [1]

Exploitation

Vector

An attacker can exploit this vulnerability by hosting a specially crafted website containing malicious content designed to trigger the memory corruption in the scripting engine. The victim must browse to the attacker-controlled page using a vulnerable version of Microsoft Edge or a third-party browser that uses ChakraCore. The affected package is Microsoft.ChakraCore in NuGet, with all versions prior to 1.11.7 being vulnerable. [2] No user interaction beyond visiting the page is required for exploitation.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. In a web browsing scenario, the attacker could gain the same user rights as the logged-on user, potentially leading to installation of programs, viewing or modifying data, or creating new accounts with full user privileges. [1]

Mitigation

Microsoft released an update to address this vulnerability in April 2019. Users are advised to apply the update for Microsoft Edge or update the ChakraCore NuGet package to version 1.11.7 or later. [2]