Chakra Scripting Engine Memory Corruption Vulnerability

Vulnerability

The vulnerability is a remote code execution issue in the Chakra scripting engine used by Microsoft Edge (HTML-based). It exists in the way Chakra handles objects in memory, leading to memory corruption that an attacker can exploit to execute arbitrary code [1].

Exploitation

In a web-based attack scenario, an attacker can host a specially crafted website designed to trigger the vulnerability through Edge. The attacker then convinces a user to view the website, or leverages compromised sites that host user-provided content or advertisements. No authentication is required, as the attacker only needs to get the user to visit the malicious page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. If that user has administrative rights, the attacker can gain full control of the system, install programs, view/change/delete data, or create new accounts with full user rights [1].

Mitigation

Microsoft released a security update that addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. Users should apply the update to mitigate the risk [1].