CVE-2019-0990 is a remote code execution (RCE) vulnerability found in the Microsoft ChakraCore scripting engine, which is used by the legacy Microsoft Edge browser (HTML-based). The vulnerability arises from improper handling of objects in memory, which can lead to memory corruption. An attacker exploiting this flaw can execute arbitrary code within the security context of the current user. If the user has administrative privileges, the attacker could gain full control over the affected system, allowing installation of programs, modification or deletion of data, and creation of new user accounts with elevated rights. The attack vector is primarily web-based: an attacker can host a malicious website crafted to exploit this vulnerability or leverage compromised or user-content hosting websites to deliver the exploit. Successful exploitation requires user interaction, specifically convincing the user to visit the malicious site using the vulnerable Edge browser. The vulnerability does not require prior authentication and has a CVSS 3.1 base score of 6.5, indicating a medium severity level. Microsoft addressed this vulnerability by updating the ChakraCore engine to improve memory handling, thereby preventing the memory corruption that leads to code execution.

For European organizations, this vulnerability poses a moderate risk primarily to endpoints running the legacy Microsoft Edge browser that relies on ChakraCore. Successful exploitation could lead to unauthorized code execution, potentially resulting in data breaches, system compromise, and lateral movement within corporate networks. Organizations with users operating with administrative privileges are at higher risk, as attackers could gain full system control. Given the web-based attack vector, employees visiting malicious or compromised websites could inadvertently trigger the exploit. This could impact confidentiality and integrity of sensitive data and disrupt business operations if malware or ransomware is deployed post-exploitation. Although the vulnerability does not directly affect availability, the resulting compromise could lead to system downtime or loss of service. The risk is somewhat mitigated by the requirement for user interaction and the declining use of the legacy Edge browser in favor of Chromium-based Edge or other browsers. However, organizations that have not fully transitioned or that use legacy systems remain vulnerable.

European organizations should ensure all systems are updated with the latest security patches from Microsoft that address CVE-2019-0990. Specifically, verify that the ChakraCore engine and the legacy Edge browser are updated or replaced. Given the declining support for the legacy Edge, organizations should accelerate migration to supported browsers such as the Chromium-based Microsoft Edge or alternatives like Chrome or Firefox. Implement network-level protections such as web filtering to block access to known malicious or suspicious websites. Employ endpoint detection and response (EDR) solutions capable of detecting exploitation attempts or anomalous script execution. User education is critical: train employees to recognize phishing and suspicious websites, emphasizing the risks of visiting untrusted sites. Restrict user privileges to the minimum necessary to reduce the impact of potential exploitation. Finally, conduct regular vulnerability assessments and penetration testing to identify and remediate any residual risks related to legacy browser use.