The Indian Computer Emergency Response Team (CERT-In), a division of the Ministry of Electronics and Information Technology, has issued a security warning to users of Microsoft Edge, advising them to update their browsers to the latest version to protect against potential cyber threats. This warning highlights multiple vulnerabilities found in Microsoft Edge (Chromium-based), particularly in versions earlier than 129.0.2792.79.

Nature of the Vulnerabilities

CERT-In has identified several underlying issues that contribute to these vulnerabilities:

• Insufficient data validation in Mojo: This can allow attackers to manipulate data and potentially execute malicious code.
• Inappropriate implementation in the V8 JavaScript engine: The V8 engine is used by Microsoft Edge to process JavaScript, and flaws in its implementation can be exploited to run harmful scripts.
• Integer overflow in the Layout component: Integer overflows can lead to unexpected behavior and memory corruption, which attackers can leverage to gain control of a system.
• Issues in UI, Autofill, and Omnibox features: Problems in these features, along with download security, can be exploited by hackers.

Potential Risks

If these vulnerabilities are left unpatched, remote attackers and cybercriminals could exploit them to:

• Bypass security controls.
• Execute arbitrary code on a user's device.
• Steal sensitive user data.
• Gain unauthorized access to the targeted system.
• Conduct remote code execution attacks.
• Cause denial of service (DoS) conditions.
• Trigger spoofing attacks.

Attackers might trick users into visiting malicious websites or opening compromised HTML pages to exploit these weaknesses. This could put sensitive personal data at serious risk.

Recommended Action

CERT-In urges Microsoft Edge users to take the following steps to mitigate these risks:

• Update Microsoft Edge: Update to the latest version of Microsoft Edge (version 129.0.2792.79 or later) as soon as possible. The latest versions contain essential security patches that address the identified vulnerabilities.
• Enable automatic updates: Ensure that automatic updates are enabled in Microsoft Edge to receive the latest security fixes promptly.
• Be cautious of suspicious links and websites: Exercise caution when clicking on links or visiting unfamiliar websites, as these could be vectors for attacks.

Severity

CERT-In has assigned a "High" severity rating to these Microsoft Edge vulnerabilities. This indicates a significant risk to users who do not take the necessary precautions.

Microsoft's Response

Microsoft has released updates to address these vulnerabilities. Users who update to the latest version of Microsoft Edge will receive these fixes. The latest Microsoft Edge Stable Channel (Version 129.0.2792.79) and Microsoft Edge Extended Stable Channel (128.0.2739.107) incorporate the newest updates of the Chromium project.