Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0230.2 Google have released an update for Chrome, correcting several security vulnerabilities 22 October 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows Linux variants Mac OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2010-4042 CVE-2010-4041 CVE-2010-4040 CVE-2010-4039 CVE-2010-4038 CVE-2010-4037 CVE-2010-4036 CVE-2010-4035 CVE-2010-4034 CVE-2010-4033 Member content until: Saturday, November 20 2010 Revision History: October 22 2010: Added CVE's October 21 2010: Initial Release OVERVIEW Google have released an update for Chrome, correcting several security vulnerabilities. IMPACT The vendor has provided the following information regarding these vulnerabilities: "* [48225] [51727] Medium Possible autofill / autocomplete profile spamming. Credit to Google Chrome Security Team (Inferno). * [48857] High Crash with forms. Credit to the Chromium development community. * [50428] Critical Browser crash with form autofill. Credit to the Chromium development community. * [$500] [51680] High Possible URL spoofing on page unload. Credit to kuzzcc; plus independent discovery by Jordi Chancel. * [53002] Low Pop-up block bypass. Credit to kuzzcc. * [53985] Medium Crash on shutdown with Web Sockets. Credit to the Chromium development community. * [Linux only] [54132] Low Bad construction of PATH variable. Credit to Dan Rosenberg, Virtual Security Research. * [$500] [54500] High Possible memory corruption with animated GIF. Credit to Simon Schaak. * [Linux only] [54794] High Failure to sandbox worker processes on Linux. Credit to Google Chrome Security Team (Chris Evans). * [56451] High Stale elements in an element map. Credit to Michal Zalewski of the Google Security Team." [1] MITIGATION The latest version of Google Chrome (currently 7.0.517.41) can be downloaded from the vendor's website. [2] The update can also be applied from within Google Chrome using the built in update feature. REFERENCES [1] Stable Channel Update http://googlechromereleases.blogspot.com/2010/10/stable-channel-update.html [2] Google Chrome - Get a fast new browser. For PC, Mac, and Linux http://www.google.com/chrome AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMwMug/iFOrG6YcBERAnPYAJ0dW5QLPyPMQdlvxnITWs55Y1LtdwCdHfBL k8bQ4T9Y86XdBDWZLqvRu88= =BxRw -----END PGP SIGNATURE-----