Wednesday, March 7, 2018

Telspace Systems Security Advisory (TSA-2018-002)

Security Advisory


TSA-2018-002: Microsoft Edge Information Disclosure Vulnerability

CVE Number: CVE-2018-0839

Summary

An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.


Details and crash information

edgehtml!Ordinal125+0xe3c86:

5ef196d6 8b5928          mov     ebx,dword ptr [ecx+28h] ds:0023:117cd008=????????


Vendor: Microsoft

Product: Edge

Version: 11.0.15063.67

Vendor URLs:

Vendor Response

The vendor has patched the vulnerability and released a new version

Disclosure Timeline
  • 23-11-2017 – Initial Discovery
  • 29-11-2017 – ZDI Notification
  • 07-12-2017 - Vendor notification
  • 21-02-2018 - Coordinated public release of advisory
Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems