Edge receives fix for escalation of privilege vulnerability

Don Sharpe
by Don Sharpe
Download PDF

  • A security patch for an escalation of privileges threat in Edge is now available
  • Edge version  83.0.478.37. contains this update.
  • Visit the News page to learn more about software fixes and improvements from Microsoft.
  • Don't forget to check out our Microsoft Edge section for updates about the Chromium-based browser.

Microsoft takes Edge security and privacy seriously, which is necessary to stand a chance of catching on to the levels of Chrome and Firefox. Toward that end, the tech giant shipped a fix for an escalation of privilege vulnerability in its Chromium-based browser.

The security patch is part of the Edge update 83.0.478.37 that is currently rolling out in the Stable channel. The non-security updates include features like automatic profile switching.

Escalation of privilege vulnerability

Microsoft calls the security risk in question CVE-2020-1195. The exposure stems from the tendency of the Feedback extension in Edge to incorrectly validate input.

Therefore, if an attacker managed to take advantage of the loophole, they could move files to arbitrary memory locations. Doing that could also give the hacker higher system privileges.

An elevation of privilege vulnerability exists in Microsoft Edge (Chromium-based) when the Feedback extension improperly validates input. An attacker who successfully exploited this vulnerability could write files to arbitrary locations and gain elevated privileges. This vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.

Microsoft assigned the vulnerability an exploitation assessment index of 2. It means that users of the latest version of Edge are less likely to be a target for this kind of attack.

The escalation of privileges vulnerability, in itself, does not amount to an attacker executing illegal code. But a hacker can use it to pave the way for a more serious breach.

For example, after illegally attaining elevated privileges, they could exploit a remote code execution (RCE) loophole. An RCE attack could in turn allow them to steal data, spy, or even stage a denial of service attack.

However, the escalation of privilege vulnerability in Edge should be no cause for alarm. Microsoft has not received any evidence of its exploitation in the wild.

If you have any questions or suggestions regarding Microsoft Edge security, you can always leave them in the comments section below.