#Security Vulnerability

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

**How can I verify that the update is installed?** Customers wanting to ensure the client has been updated can run the MDE Client Analyzer on the device. When running the analyzer on a Windows device that does not have the security update, the analyzer will present a warning (ID 121035) indicating missing patch and directing to relevant online article. Additionally, if the update is installed, but the Anti-Spoofing capability is not in a stable state, the analyzer will present warning (ID 121036) indicating an issue and providing additional online guidance or callout to reach out to Microsoft support if issue persists.

Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

Out-of-bounds read in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.

Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode.

**According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?** This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution.

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.