NVD Vulnerability Detail

CVE-2020-0878

Summary	<p>A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment.</p> <p>The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory.</p>
Publication Date	Sept. 12, 2020, 2:15 a.m.
Registration Date	Jan. 26, 2021, 11:50 a.m.
Last Update	Nov. 21, 2024, 1:54 p.m.

CVSS3.1 : MEDIUM
スコア	4.2
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	5.1
Vector	AV:N/AC:H/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:microsoft:internet_explorer:11:-::::::
execution environment
1	cpe:2.3:o:microsoft:windows_10_1507:-:::::::*
2	cpe:2.3:o:microsoft:windows_10_1607:-:::::::*
3	cpe:2.3:o:microsoft:windows_10_1709:-:::::::*
4	cpe:2.3:o:microsoft:windows_10_1803:-:::::::*
5	cpe:2.3:o:microsoft:windows_10_1809:-:::::::*
6	cpe:2.3:o:microsoft:windows_10_1903:-:::::::*
7	cpe:2.3:o:microsoft:windows_10_1909:-:::::::*
8	cpe:2.3:o:microsoft:windows_10_2004:-:::::::*
9	cpe:2.3:o:microsoft:windows_7:-:sp1::::::
10	cpe:2.3:o:microsoft:windows_8.1:-:::::::*
11	cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*
12	cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*
13	cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
14	cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*
15	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
16	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:microsoft:internet_explorer:9:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:microsoft:edge:-:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows_10:1909:::::::*
2	cpe:2.3:o:microsoft:windows_10_1507:-:::::::*
3	cpe:2.3:o:microsoft:windows_10_1607:-:::::::*
4	cpe:2.3:o:microsoft:windows_10_1709:-:::::::*
5	cpe:2.3:o:microsoft:windows_10_1803:-:::::::*
6	cpe:2.3:o:microsoft:windows_10_1809:-:::::::*
7	cpe:2.3:o:microsoft:windows_10_1903:-:::::::*
8	cpe:2.3:o:microsoft:windows_10_2004:-:::::::*
9	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
10	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:microsoft:chakracore:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878		Patch Vendor Advisory
2	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878		Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html

JVN Vulnerability Information

複数の Microsoft 製品におけるリモートでコードを実行される脆弱性

Title	複数の Microsoft 製品におけるリモートでコードを実行される脆弱性
Summary	複数の Microsoft 製品には、Microsoft ブラウザがメモリ内のオブジェクトにアクセスする方法に不備があるため、リモートでコードを実行される脆弱性が存在します。ベンダは、本脆弱性を「Microsoft ブラウザーのメモリ破損の脆弱性」として公開しています。
Possible impacts	リモートでコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 8, 2020, midnight
Registration Date	Nov. 10, 2020, 4:30 p.m.
Last Update	Nov. 10, 2020, 4:30 p.m.

Affected System

マイクロソフト

ChakraCore

Microsoft Edge (EdgeHTML-based)

Microsoft Internet Explorer 11

Microsoft Internet Explorer 9

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-0878	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0878
National Vulnerability Database (NVD)
2	CVE-2020-0878	https://nvd.nist.gov/vuln/detail/CVE-2020-0878
Security Update Guide
3	CVE-2020-0878 \| Microsoft Browser Memory Corruption Vulnerability	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878
セキュリティ更新プログラムガイド
4	CVE-2020-0878 \| Microsoft ブラウザーのメモリ破損の脆弱性	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2020-0878

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

その他

No	Name	URL
IPA 重要なセキュリティ情報
1	Microsoft 製品の脆弱性対策について(2020年9月)	https://www.ipa.go.jp/security/ciadr/vul/20200909-ms.html
JPCERT 注意喚起
2	JPCERT-AT-2020-0036	https://www.jpcert.or.jp/at/2020/at200036.html

Change Log

No	Changed Details	Date of change
1	[2020年11月10日] 掲載	Nov. 10, 2020, 4:30 p.m.

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:microsoft:internet_explorer:11:-::::::
execution environment
1	cpe:2.3:o:microsoft:windows_10_1507:-:::::::*
2	cpe:2.3:o:microsoft:windows_10_1607:-:::::::*
3	cpe:2.3:o:microsoft:windows_10_1709:-:::::::*
4	cpe:2.3:o:microsoft:windows_10_1803:-:::::::*
5	cpe:2.3:o:microsoft:windows_10_1809:-:::::::*
6	cpe:2.3:o:microsoft:windows_10_1903:-:::::::*
7	cpe:2.3:o:microsoft:windows_10_1909:-:::::::*
8	cpe:2.3:o:microsoft:windows_10_2004:-:::::::*
9	cpe:2.3:o:microsoft:windows_7:-:sp1::::::
10	cpe:2.3:o:microsoft:windows_8.1:-:::::::*
11	cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*
12	cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*
13	cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
14	cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*
15	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
16	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:microsoft:edge:-:::::::*
execution environment
1	cpe:2.3:o:microsoft:windows_10:1909:::::::*
2	cpe:2.3:o:microsoft:windows_10_1507:-:::::::*
3	cpe:2.3:o:microsoft:windows_10_1607:-:::::::*
4	cpe:2.3:o:microsoft:windows_10_1709:-:::::::*
5	cpe:2.3:o:microsoft:windows_10_1803:-:::::::*
6	cpe:2.3:o:microsoft:windows_10_1809:-:::::::*
7	cpe:2.3:o:microsoft:windows_10_1903:-:::::::*
8	cpe:2.3:o:microsoft:windows_10_2004:-:::::::*
9	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
10	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*