SoylentNews

-- OriginalOwner_ [tinyurl.com] writes:

El Reg reports [theregister.co.uk]

The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.

Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.

The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874 [microsoft.com][1]) would allow an infected webpage to run code with the logged-in user's clearance level.

The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839 [microsoft.com][1], that allows an attack page to view objects in memory.

Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940 [microsoft.com][1]) exploited via email. Dustin Childs of the Zero Day Initiative said that [zerodayinitiative.com] the bug is perfectly set up to facilitate a spear phishing attack.

[1] All content at portal.msrc.microsoft.com is behind scripts. Attempts to have archive.is run the scripts results in a EULA page.

Original Submission