Escaping the Sandbox: CVE-2024-21399 Microsoft Edge RCE Vulnerability
Microsoft has released a security update for its browser, Microsoft Edge, addressing several vulnerabilities. Following the release of the foundational Chromium versions 121.0.6167.139 for Mac and Linux and 121.0.6167.139/140 for Windows, Microsoft unveiled version 121.0.2277.98 of Microsoft Edge.
This update not only rectifies three vulnerabilities previously identified and remedied in Chromium but also addresses a high vulnerability, CVE-2024-21399. This particular vulnerability, if exploited, could allow remote execution of code.
“An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email,” Microsoft wrote.
The conditions for exploiting this vulnerability are complex, necessitating user interaction. The CVSSv3.1 has assigned it a base score of 8.3, denoting a severity level of Moderate.
“This vulnerability could lead to a browser sandbox escape,” the company added. To date, there have been no confirmed instances of exploitation or disclosure of this vulnerability.
Additionally, alongside Microsoft Edge 121.0.2277.98, Microsoft is also offering an extended stable version based on Chromium 120.0.6099.276, namely Microsoft Edge 120.0.2210.167.
The vulnerabilities addressed in this update are as follows:
- High CVE-2024-1060: Use after free in Canvas.
- High CVE-2024-1059: Use after free in WebRTC
- High CVE-2024-1077: Use after free in Network.
- High CVE-2024-21399: Remote Code Execution Vulnerability
