Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0230.2
Google have released an update for Chrome, correcting
several security vulnerabilities
22 October 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Operating System: Windows
Linux variants
Mac OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4042 CVE-2010-4041 CVE-2010-4040
CVE-2010-4039 CVE-2010-4038 CVE-2010-4037
CVE-2010-4036 CVE-2010-4035 CVE-2010-4034
CVE-2010-4033
Member content until: Saturday, November 20 2010
Revision History: October 22 2010: Added CVE's
October 21 2010: Initial Release
OVERVIEW
Google have released an update for Chrome, correcting several security
vulnerabilities.
IMPACT
The vendor has provided the following information regarding these
vulnerabilities:
"* [48225] [51727] Medium Possible autofill / autocomplete profile
spamming. Credit to Google Chrome Security Team (Inferno).
* [48857] High Crash with forms. Credit to the Chromium development
community.
* [50428] Critical Browser crash with form autofill. Credit to the
Chromium development community.
* [$500] [51680] High Possible URL spoofing on page unload. Credit
to kuzzcc; plus independent discovery by Jordi Chancel.
* [53002] Low Pop-up block bypass. Credit to kuzzcc.
* [53985] Medium Crash on shutdown with Web Sockets. Credit to the
Chromium development community.
* [Linux only] [54132] Low Bad construction of PATH variable. Credit
to Dan Rosenberg, Virtual Security Research.
* [$500] [54500] High Possible memory corruption with animated GIF.
Credit to Simon Schaak.
* [Linux only] [54794] High Failure to sandbox worker processes on
Linux. Credit to Google Chrome Security Team (Chris Evans).
* [56451] High Stale elements in an element map. Credit to Michal
Zalewski of the Google Security Team." [1]
MITIGATION
The latest version of Google Chrome (currently 7.0.517.41) can be
downloaded from the vendor's website. [2]
The update can also be applied from within Google Chrome using
the built in update feature.
REFERENCES
[1] Stable Channel Update
http://googlechromereleases.blogspot.com/2010/10/stable-channel-update.html
[2] Google Chrome - Get a fast new browser. For PC, Mac, and Linux
http://www.google.com/chrome
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMwMug/iFOrG6YcBERAnPYAJ0dW5QLPyPMQdlvxnITWs55Y1LtdwCdHfBL
k8bQ4T9Y86XdBDWZLqvRu88=
=BxRw
-----END PGP SIGNATURE-----