Windows 10: CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability

Brink · Oct 24, 2018

A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.

Exploitability Assessment
The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service No No 2 - Exploitation Less Likely 4 - Not affected Not Applicable
Security Updates
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

Product Platform Article Download Impact Severity Supersedence Microsoft Edge Windows 10 Version 1703 for 32-bit Systems 4462937 Security Update Security Feature Bypass Important 4457138 Microsoft Edge Windows 10 Version 1703 for x64-based Systems 4462937 Security Update Security Feature Bypass Important 4457138 Microsoft Edge Windows 10 Version 1709 for 32-bit Systems 4462918 Security Update Security Feature Bypass Important 4457142 Microsoft Edge Windows 10 Version 1709 for 64-based Systems 4462918 Security Update Security Feature Bypass Important 4457142
Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

Version Date Description 1.0 10/09/2018 Information published. 1.1 10/24/2018 Corrected vulnerability description. This is an informational change only.
Click to expand...

Source: https://portal.msrc.microsoft.com/en.../CVE-2018-8512

:)

NICK ADSL UK · Oct 24, 2018

Microsoft Security Bulletin(s) for October 2018

Release Notes
October 2018 Security Updates
Release Date: October 09, 2018

The October security release consists of security updates for the following software:

Internet Explorer

Microsoft Edge

Microsoft Windows

Microsoft Office and Microsoft Office Services and Web Apps

ChakraCore

.NET Core

SQL Server Management Studio

Microsoft Exchange Server

Please note the following information regarding the security updates:

Customers runnning Windows 7 or Windows Server 2008 R2 need to ensure they have Servicing Stack Update (SSU) 3177467 installed before installing the October 2018 security updates, to avoid a failure to install. See

Microsoft Knowledge Base Article 3177467 for more information about this SSU.

Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the

Microsoft Update Catalog.

Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release.

Updates for Windows RT 8.1 and Microsoft Office RT software are only available via

Windows Update.

For information on lifecycle and support dates for Windows 10 operating systems, please see

Windows Lifecycle Facts Sheet.

In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates.

ADV180026*

CVE-2010-3190*

CVE-2018-8292

CVE-2018-8330

CVE-2018-8427

CVE-2018-8432

CVE-2018-8472

CVE-2018-8481

CVE-2018-8482

CVE-2018-8486

CVE-2018-8493

CVE-2018-8501

CVE-2018-8503

CVE-2018-8504

CVE-2018-8506

CVE-2018-8530*

CVE-2018-8532

CVE-2018-8533

Known Issues

4459266

4462917

4462923

https://portal.msrc.microsoft.com/e...tedetail/aa99ba28-e99f-e811-a978-000d3a33c573

NICK ADSL UK · Oct 24, 2018

Microsoft Security Bulletin(s) for August 2018

Release Notes
August 2018 Security Updates
Release Date: August 14, 2018
The August security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
ChakraCore
Adobe Flash Player
.NET Framework
Microsoft Exchange Server
Microsoft SQL Server
Visual Studio
Please note the following information regarding the security updates:
Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
http://catalog.update.microsoft.com/v7/site/Home.aspx

Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release.
Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates.
ADV180016*
ADV180020*
ADV180022*
CVE-2018-8273
CVE-2018-8341
CVE-2018-8348
CVE-2018-8351
CVE-2018-8360
CVE-2018-8370
CVE-2018-8378
CVE-2018-8382
CVE-2018-8394
CVE-2018-8396
CVE-2018-8398

Known Issues
4340731
4340733
4343885
4343892
4343897
4343900
4343909
https://portal.msrc.microsoft.com/e...tedetail/ecb26425-583f-e811-a96f-000d3a33c573

NICK ADSL UK · Oct 24, 2018

Microsoft Security Bulletin(s) for September 2018

Microsoft Security Bulletin(s) for September 2018

Release Notes
September 2018 Security Updates

Release Date: September 11, 2018

The September security release consists of security updates for the following software:

Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
ChakraCore
Adobe Flash Player
.NET Framework
Microsoft.Data.OData
ASP.NET

Please note the following information regarding the security updates:

Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the

Microsoft Update Catalog.
•Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release.
•Updates for Windows RT 8.1 and Microsoft Office RT software are only available via

Windows Update.
•For information on lifecycle and support dates for Windows 10 operating systems, please see

Windows Lifecycle Facts Sheet.
•In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates.

ADV180022*

ADV180023

CVE-2018-8315

CVE-2018-8331

CVE-2018-8336

CVE-2018-8419

CVE-2018-8424

CVE-2018-8429

CVE-2018-8430

CVE-2018-8433

CVE-2018-8434

CVE-2018-8442

CVE-2018-8443

CVE-2018-8444

CVE-2018-8445

CVE-2018-8446

CVE-2018-8452

CVE-2018-8474*

Known Issues

4457128

4457144

4458321

https://portal.msrc.microsoft.com/e...tedetail/498f2484-a096-e811-a978-000d3a33c573

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact: For home users, no-charge support for security updates (only!) is available by calling 800-MICROSOFT (800-642-7676) in the US or
877-568-2495 in Canada.

Windows 10: CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability

CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability

CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability

CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability

CVE-2018-8512 - Microsoft Edge Security Feature Bypass Vulnerability - Similar Threads - CVE 2018 8512

BitLocker Security Feature Bypass Vulnerability CVE-2022-41099 and KB5025175

BitLocker Security Feature Bypass Vulnerability CVE-2022-41099 and KB5025175

BitLocker Security Feature Bypass Vulnerability CVE-2022-41099 and KB5025175

CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability Security Vulnerability Published:...

CVE-2019-1314 Windows 10 Mobile Security Feature Bypass Vulnerability Mobile

CVE-2019-0627 - Windows Security Feature Bypass Vulnerability

SQLITE vulnerability CVE-2018-20346, CVE-2018-20505, CVE-2018-20506

CVE-2018-8245 Microsoft Publisher Remote Code Execution Vulnerability

CVE-2018-0986 | Microsoft Malware Protection Engine Vulnerability

Users found this page by searching for:

2018 Microsoft Edge Security Feature Bypass Vulnerability Server 2016