A Microsoft Edge vulnerability was found to be a security bypass flaw, which requires manual input in order to execute a cyber attack.
The Microsoft Edge vulnerability CVE-2023-29345 was a Chromium-based bug with a low severity rating. Hacker’s exploitation could lead to ‘scope change’ (S:C) which meant they could run malicious code from a sandbox outside the latter’s isolated environment.
The Microsoft Edge vulnerability details
Addressing the Microsoft Edge vulnerability, the company’s report read, “The user would have to click on a specially crafted URL to be compromised by the attacker.” Hence, it was possible to prevent one’s system from being compromised by not accessing malicious links.
Furthermore, exploitation of this Microsoft Edge vulnerability could lead to loss of integrity by adding malicious scripts to get sensitive data from the system. Hackers can also access the user’s browser associated with the vulnerable URL.
Microsoft Edge remote code execution vulnerability
The Microsoft Edge vulnerability was assigned a CVSS meta-temp score of 6.0. Not much is known about the exploitation of the systems via this flaw in Microsoft Edge. “There are neither technical details nor an exploit publicly available,” a Vuldb report said.
“The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 06/03/2023),” the Vuldb report concluded.
Microsoft vulnerability report and key findings
Microsoft has been reported to have found and addressed an increasing number of vulnerabilities over the years. Over the past 10 years, the software products giant, Microsoft reported 1,292 vulnerabilities.
The highest number of vulnerabilities was reported in Android according to research that focused on the top 20 products which had the most number of CVEs allocated to them in 2022. Microsoft’s Windows 10 was fourth in line with Windows Server 2008 following it.
Exploitation observed by Microsoft from 2021 to 2023
Microsoft observed that the number of password attacks per second rose from 579 in 2021, to 921 in 2022 and 1287 within the first half of 2023. This significant rise in password attacks points fingers at password strength and password hygiene maintained by the users.
Moreover, it was found that suspicious emails that may contain malicious links also increased from 13 billion in 2021, to 32 billion in 2022, and 37 billion only in the first half of 2023.
Addressing the use of AI to trace signals, Microsoft wrote in one of its blogs, “With industry-leading AI, we synthesize 65 trillion signals a day—across all types of devices, apps, platforms, and endpoints—a nearly eight times increase from the 8 trillion daily signals captured just two years ago.”
Microsoft Edge vulnerability and the larger patch picture
Nearly 26,448 software security bugs were reported in 2022. The number of critical vulnerabilities increased by 59% in 2022 as compared to the previous year. Yet, most software customers fail to patch on time.
For instance, Microsoft issued an alert on CVE-2022-37958 in December 2022.
The alert clearly mentioning that the bug patched in September was still wormable. However, a spot survey by The Cyber Express among its registered readers found that many were unaware of the bug.
Firstly, employees can feel overwhelmed by the constant influx of patches that need to be installed.
Consequently, this can lead to a backlog of updates, necessitating prioritization based on the popularity of the affected application and the severity of the security vulnerability.
Moreover, the rise in remote work has resulted in more employees using personal devices for work, which presents challenges in terms of securing and monitoring updates.
Another problem arises from the division of responsibilities among different IT teams, where distinct tasks such as identifying vulnerabilities and applying patches can cause communication and workflow disruptions.
The patching process can also experience delays due to slow and outdated change management processes. Additionally, there is a risk that the patches themselves may be flawed or compromised, requiring thorough testing and verification before deployment.
Lastly, many organizations still rely on manual patching procedures, which consume significant time and resources.
