Patch Your Edge Now: Critical Sandbox Escape Vulnerability (CVE-2023-35618)

Microsoft has released a new update for Microsoft Edge Stable Channel (Version 120.0.2210.61) that addresses several critical security vulnerabilities. These vulnerabilities could allow attackers to remotely execute code, gain elevated privileges, or disclose sensitive information on affected systems.

CVE-2023-35618

What are the vulnerabilities?

  1. CVE-2023-38174 (CVSS 4.3): An information disclosure vulnerability in Microsoft Edge. Although it only discloses limited information, it doesn’t pose a risk of sensitive data exposure.
  2. CVE-2023-35618 (CVSS 9.6): A more severe elevation of privilege vulnerability. This flaw could lead to browser sandbox escape, allowing attackers to host or use compromised websites to exploit the vulnerability. While it requires user interaction, such as clicking a link, successful exploitation grants the attacker elevated privileges for code execution.
  3. CVE-2023-36880 (CVSS 4.8): Another information disclosure vulnerability, similar to CVE-2023-38174, with limited risk for sensitive information exposure. It necessitates specific environmental information and preparatory actions by the attacker for successful exploitation.

What should you do?

While the information disclosed by CVE-2023-38174 and CVE-2023-36880 is limited and not considered sensitive, CVE-2023-35618 poses a significant risk. If exploited, this vulnerability could allow an attacker to take control of your system and steal your data.

You must update your Microsoft Edge browser to the latest version (120.0.2210.61) as soon as possible. To update your browser, follow these steps:

  1. Open Microsoft Edge.
  2. Click the three dots in the top right corner of the browser window.
  3. Select Help and feedback > About Microsoft Edge.
  4. Microsoft Edge will automatically check for updates. If an update is available, it will be downloaded and installed automatically.