Potential Risk of CVE

Speculation – Cause of Microsoft Edge (Chromium-based) Vulnerabilities (25th Jan 2023)

Leave a comment

Preface: Edge was initially built with Microsoft’s own proprietary browser engine, EdgeHTML, and their Chakra JavaScript engine. In late 2018, it was announced that Edge would be completely rebuilt as a Chromium-based browser with Blink and V8 engines.

The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.

Background: In Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. Last year it found flaw occurred. CVE-2022-1134 – bug got remote code execution in Chrome renderer. The bug exists in the super inline cache (SuperIC) feature.

Blink is Google Chrome’s rendering engine , V8 is the JavaScript Engine used within Blink. Inline cache is an optimization used in V8 for speeding up property accesses in bytecode generated by Ignition (the interpreter in V8). 

Edge and Chrome are both built on the Chromium open-source browser using the Blink rendering engine

Vulnerability details:

CVE-2023-21796: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

CVE-2023-21795: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21796.

CVE-2023-21775: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-21719: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Official announcement: See URL for details – https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security

Observation: Refer to CVE-2022-1134. A JavaScript object has its map as its first field. In V8, this field is used for determining the type of an object, so by putting the map of a double Array in our fake object, V8 will interpret it as a double array. So, code region overwritten.

Since no details release by vendor. But think it over, in Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. However if there is Remote Code Execution Vulnerability happened (similar CVE-2022-1134). Then the impact will be different.

The flaw display in diagram so called  type confusion vulnerability. When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. Then Exploiting this flaw to get a Privileged Shell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.