Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0051 A number of vulnerabilities have been identified in Google Chrome 10 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-3077 CVE-2011-3076 CVE-2011-3075 CVE-2011-3074 CVE-2011-3073 CVE-2011-3072 CVE-2011-3071 CVE-2011-3070 CVE-2011-3069 CVE-2011-3068 CVE-2011-3067 CVE-2011-3066 Member content until: Thursday, May 10 2012 OVERVIEW A number of vulnerabilities have been identified in Google Chrome prior to version 18.0.1025.151. IMPACT The vendor has provided the following details regarding these vulnerabilities: "[$500] [106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz. [117583] Medium CVE-2011-3067: Cross-origin iframe replacement. Credit to Sergey Glazunov. [$1000] [117698] High CVE-2011-3068: Use-after-free in run-in handling. Credit to miaubiz. [$1000] [117728] High CVE-2011-3069: Use-after-free in line box handling. Credit to miaubiz. [118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit to Google Chrome Security Team (SkyLined). [118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement. Credit to pa_kt, reporting through HP TippingPoint ZDI (ZDI-CAN-1528). [118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up window. Credit to Sergey Glazunov. [$1000] [118593] High CVE-2011-3073: Use-after-free in SVG resource handling. Credit to Arthur Gerkis. [$500] [119281] Medium CVE-2011-3074: Use-after-free in media handling. Credit to Slawomir Blazek. [$1000] [119525] High CVE-2011-3075: Use-after-free applying style command. Credit to miaubiz. [$1000] [120037] High CVE-2011-3076: Use-after-free in focus handling. Credit to miaubiz. [120189] Medium CVE-2011-3077: Read-after-free in script bindings. Credit to Google Chrome Security Team (Inferno)." [1] MITIGATION The vendor recommends upgrading to the latest version of Google Chrome to correct these vulnerabilities. [1] REFERENCES [1] Stable and Beta Channel Updates http://googlechromereleases.blogspot.fr/2012/04/stable-and-beta-channel-updates.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT4OLX+4yVqjM2NGpAQJEQA/+OQBOXfE5rFmrCjczeWcNQ5JBxnG2L5nx iweK/DEDKNeXo+MhuV6+qEax+nxQ39GipghaqJrV8dq/vpx/eLQ6yd76RTNlOgDW 6fj9SznUW6VhlpCMP6GSX6NRLC34nQKV27ITvWguM15Q3G+ZsWimRijIB62cb8RA UrKKjgCcCk6J3EQm3qWu5lxWtL2j0ce7hZYmoSxnhrLjtxBVDJjLky3q7KiOQ9LA Igtzq8q5nkeualMgjBQZzt6ctztIYch0yiEMJ7fgH1styWR7w06o3suNDNLt3wtU kn5SvJos6VTHssQsrkFsca3/Q7M4E5j6WwLxbCqqcxKLVlKCglBT5WGI7Reh46Ft PfoT+ufp48gvmljeUSw+No113VSJfnExRUP6KEKKg+G1f6gcjSmrCIHhpCyvSqW+ rLZwunpEZ1tVPAfKkBmPYYx/2UCt7cP3uaL4aOsWj/0tyk+NjeTv4QNHeur7NMSP lKODc6Phzv1QoGG+t4fb+x10yslGYlaxhfS/6J40afyecAmNcsIwLgaZj9jQxO3J 9c+h2zJbKl+6EHzXpjUlBD+1xJNcflv4MvgyGFdQUG7xaSfA/zSCaWSlHRtUCkcS QnkfAXJXuZi3IcQAYjdqjvKQjfx7zuNrfStU8StcgcYGVEw8G/AvLg/cCjyLZHd1 xiX70IjPddQ= =RKPT -----END PGP SIGNATURE-----