About

Microsoft’s Tuesday patch for December fixes 42 vulnerabilities on Edge

Microsoft has released the December month’s Tuesday patch last night on 14th December, 2021. The security update works for vulnerabilities, security issues and risks that came to the fore during the period between 10th November to 14 December. We detail the various critical, moderate and important vulnerabilities that have been patched as part of the Tuesday security patch for December for Microsoft Edge. The latest security update for Microsoft Edge succeeds the previous version of Edge – 96.0.1054.53 that was released on 10th December. The current or the latest security update of 14th December for Edge is the version 96.0.1054.57.

Edge version 96.0.1054.57 and vulnerabilities fixed

Microsoft Edge version 96.0.1054.57 is the latest stable release version that addresses the December month’s Tuesday security release. We must reiterate that the Microsoft Edge browser had already received a security update on 10th December, wherein the browser engine was updated to the version 96.0.1054.53.

There are 42 vulnerabilities that have been listed as part of the Microsoft Edge security update released for the month of November and December. Of these, all the security vulnerabilities had already been patched in the 10th December and 19th November security releases of the Edge browser, except for the 5 new vulnerabilities that have been patched in Edge version 96.0.1054.57.

The 5 vulnerabilities that have been fixed as part of the 14th December release of the Edge browser version 96.0.1054.57 are as follows:

  • CVE-2021-4098
  • CVE-2021-4099
  • CVE-2021-4100
  • CVE-2021-4101
  • CVE-2021-4102

No public information is available for the scope, impact, severity and potential attacks of these 5 vulnerabilities. These vulnerabilities remain undeclared in terms of public details. Mitre’s page for the CVE numbers do not contain any details, risks or mitigations for any of these 5 vulnerabilities. There are no known records of any exploitation attempts for these vulnerabilities.

The other significant vulnerabilities that have been fixed as part of the November and December security updates for the Edge browser are listed below.

Severity – Important – Remote Control Execution Edge vulnerability resolution December 2021

For Microsoft Edge, Microsoft’s Tuesday patch fixes 42 vulnerabilities. Of these, one fix is for the vulnerability under CVE-43221. The severity of this CVE-43221 is important and the security risk is of allowing remote code execution by an attacker. This vulnerability affects Microsoft Edge and has been fixed in the version – 96.0.1054.53. You are advised to upgrade Microsoft Edge to the latest stable release version 96.0.1054.57 to cover the latest security update for Edge.

Microsoft has mentioned that is has not detected any exposure or attempts to target the vulnerability as of now. However, it makes sense to patch the Edge browser whenever you get a chance to do so.

CVE-4102 – Chromium based vulnerability

Microsoft Edge is based on the Chromium platform. Google’s Chrome is also based on the same platform. Google had disclosed a vulnerability CVE-4102 on the Chrome browser, based on the underlying platform. The latest security update for Edge also covers the CVE-4102. The security fix for the vulnerability CVE-4102 has been provided by Google for the Chrome project.

Severity Moderate – Spoofing vulnerability on Edge for iOS

CVE-43220 vulnerability for the Edge browser has a moderate impact for your infrastructure comprising of iOS devices. It specifically affects the Edge for iOS devices. This vulnerability applies to networks, and companies in the shape of spoofing of iOS devices. It was disclosed in November, 2021 and was fixed as part of the Edge version 96.0.1054.53. We still advise to apply the latest version 96.0.1054.57 to ensure that Edge is running the latest security update,

Severity – Low – Email spoofing vulnerability on Edge for December 2021

The latest Tuesday security update fixes a low severity vulnerability that goes under CVE-42308. The vulnerability causes risks arising out of email spoofing. An attacker may target the browser’s vulnerability to send spoofed emails and engage in malicious activity on the system. The latest version of Microsoft Edge 96.0.1054.53 should take care of this security vulnerability for the Edge browser.

Aside from these four significant vulnerabilities that have been fixed as part of the Edge version 96.0.1054.53, there are other vulnerabilities that have been fixed in the version 96.0.1054.53 and 96.0.1054.57. No information about these vulnerabilities is available in the public domain for now.

Summary

Microsoft Edge’s monthly security update has been allocated a version 96.0.1054.57. It follows up with the last security update for Edge with version 96.0.1054.53.

  • Edge version 96.0.1054.53 addresses the vulnerabilities that have been marked as important, moderate or low impact.
  • So, if you are on Edge version 96.0.1054.53, you are covered for most vulnerabilities on the Chromium based Microsoft Edge.
  • Updating to the Edge version 96.0.1054.57 will cover the full monthly security update fix for Microsoft Edge.

It is, therefore, recommended to update Microsoft Edge to 96.0.1054.57 whenever you get a chance. As a bare minimum, you must be running Edge version 96.0.1054.53 for a secured infrastructure.