Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0064
A number of vulnerabilities have been identified in Google Chrome
1 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1521 CVE-2011-3081 CVE-2011-3080
CVE-2011-3079 CVE-2011-3078
Member content until: Thursday, May 31 2012
OVERVIEW
A number of vulnerabilities have been identified in Google Chrome
prior to version 18.0.1025.168. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"[106413] High CVE-2011-3078: Use after free in floats handling. Credit
to Google Chrome Security Team (Marty Barbella) and independent later
discovery by miaubiz.
[117110] High CVE-2012-1521: Use after free in xml parser. Credit to
Google Chrome Security Team (SkyLined) and independent later discovery
by wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
[117627] Medium CVE-2011-3079: IPC validation failure. Credit to
PinkiePie.
[121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit
to Willem Pinckaers of Matasano.
[$1000] [121899] High CVE-2011-3081: Use after free in floats
handling. Credit to miaubiz." [1]
MITIGATION
The vendor recommends upgrading to the latest version of Google Chrome
to correct these issues.
REFERENCES
[1] Stable Channel Update
http://googlechromereleases.blogspot.com.au/2012/04/stable-channel-update_30.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT581su4yVqjM2NGpAQKCchAAlj+jAv+XsdDGRCYRORhV5IZJ/I3OeShu
CgF+725OY9G+MncsI9f/neZRlkvD9MXH+lz/eA+eB8RbLIDehKzhi6908RUdlFmy
pzuKrfqnGkSOEZzSAVfmNwGhrCdWeQEfNHbPmrR+PUSKwYYu5dloqSqvP9Z3zOzk
uZcxNa/kDqjGkAWZylSTK/I2/H8KIhZSxKgiL1HGpHSLLSOBR6VXxd7vmtwXN3gV
IUCemQ1evs6qVPJTg50rXI/O+hRc7syFPh/hfkKDR+C7KH5VkX4BAnR/4yJZPuh5
mlGdLrzftRgpi4uL3y4U9Cdx5gPlXQRRgMA6qQNEvO1c86WS/cpR5TO2H2G4VdKb
0Xr5e2G+97ElhepCGh6wBQxw88QDUbJqTU3ujUt/lhiddWdJeNku+dZ/lTe8hp3/
aIqmkQV469pQM8z4UNSOQ8024CrIVwefMn+QWNI7Le00mQFY8AP6lou/rF2VmPyg
DmXDdMezv+kLtUvqgyi2zmgDSiPouyz7d84kc7DDY0Uu0UFcHatG3Cf+0VUfc+9K
ejZdVGhIvZIAGXHB+kgpyNno45LAc/h/Qe/B0j7iyxz+ppkVzyn3ChApEdfNlV5+
6tQZakSy045imMnWeu6VJ/rHH+fC+76Jc0OcjIetMh35Ajj/yBqhO0/jgXbGCt5U
lwG262TMXx4=
=lCGj
-----END PGP SIGNATURE-----