Computer techologies

Published an exploit for the RCE vulnerability in the Edge browser

As part of the December Tuesday update, the Edge browser vulnerability CVE-2018-8629 related to the operation of Chakra (Microsoft’s JavaScript browser engine) was eliminated. This problem allows you to execute arbitrary code on the vulnerable machine with the same privileges as the currently logged in user.

Bruno Keith from the team of researchers Phoenhex found a critical vulnerability. He also said that all versions of Windows are vulnerable to the problem, and only for Windows server (2016-2019) the bug poses a smaller threat.

Since the patch for this flaw was released two weeks ago, the experts decided that PoC could already be published -exploit for fresh vulnerabilities. The exploit has 71 lines of code and leads to out-of-bounds reading from memory. Researchers note that the effect of an exploit in its current form may not seem very dangerous to many, but PoC can be modified and get more dangerous results.

Researchers remind that this bug can be used for web attacks. So, it is enough for an attacker to create a malicious site with an exploit and lure him to the victim with vulnerable Microsoft Edge. The exploit can also be implemented on other resources that the victim frequently visits – on any sites, in advertisements, and so on. Given that the patch was released only this month, not all users definitely managed to install the updates.