27 March 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0047 A number of vulnerabilities have been identified in Google Chrome 27 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows OS X Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0926 CVE-2013-0925 CVE-2013-0924 CVE-2013-0923 CVE-2013-0922 CVE-2013-0921 CVE-2013-0920 CVE-2013-0919 CVE-2013-0918 CVE-2013-0917 CVE-2013-0916 Member content until: Friday, April 26 2013 OVERVIEW A number of vulnerabilities have been identified in Google Chrome prior to version 26.0.1410.43 for Windows, Mac, Linux, and Chrome Frame.  IMPACT The vendor has provided the following details regarding these issues: "[$1000]  High CVE-2013-0916: Use-after-free in Web Audio. Credit to Atte Kettunen of OUSPG.  Low CVE-2013-0917: Out-of-bounds read in URL loader. Credit to Google Chrome Security Team (Cris Neckar).  Low CVE-2013-0918: Do not navigate dev tools upon drag and drop. Credit to Vsevolod Vlasov of the Chromium development community. [Linux only]  Medium CVE-2013-0919: Use-after-free with pop-up windows in extensions. Credit to Google Chrome Security Team (Mustafa Emre Acer).  Medium CVE-2013-0920: Use-after-free in extension bookmarks API. Credit to Google Chrome Security Team (Mustafa Emre Acer).  High CVE-2013-0921: Ensure isolated web sites run in their own processes.  Low CVE-2013-0922: Avoid HTTP basic auth brute force attempts. Credit to t3553r.    Medium CVE-2013-0923: Memory safety issues in the USB Apps API. Credit to Google Chrome Security Team (Mustafa Emre Acer).  Low CVE-2013-0924: Check an extensions permissions API usage again file permissions. Credit to Benjamin Kalman of the Chromium development community.  Low CVE-2013-0925: Avoid leaking URLs to extensions without the tabs permissions. Credit to Michael Vrable of Google.  Medium CVE-2013-0926: Avoid pasting active tags in certain situations. Credit to Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com)."  MITIGATION The vendor recommends updating to the latest version of Google Chrome to correct these issues.  REFERENCES  Stable Channel Update http://googlechromereleases.blogspot.com.au/2013/03/stable-channel-update_26.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUVJZWO4yVqjM2NGpAQJghQ//Zp5O35B6/BqPHr+iIDxeJqlzZts+dIOn spQGM0nR4rMewKELVJYcsziNGIa00F/yuwcp8/nE0aqv6Rv6jmN3BzrKeoyISXuL hseAgfPzDERx5tH16PaariyzTgLIde2gL8JLM3xNiUm2rFbZCf+2r5NG7MO3YjZN vkXDUIFBZtEeZ0rJf1qV5ATZ6/xwa8EldtfET8zNs7amk25Yhasvij96dvRlAYtP ADCR8SLX6TGTwBmJwHqNenk1etoro89doCffwjFaCvIm7o2cKWI2PdO9LBXUB1CM ocGcXMAtg4FJSX3JzPO4wIbnLz7Yy8DxRno9LKVWBK0iUSXljGIRSF5A7v9MykIu YFnZV/kIMV6oMdx0LMq1xG5Mtfa8/eQohv2LC1qT83hGKT2+o0B7/Ug72Cl4YVvc YVmp+LINmfHiUIfE0fwwPpYjMW1YgG8wKxxSPggTVV7oQKDS3l/Jb1ars1JaRB6v XwoXkjsgnqSOm6w9WR1lMfsTYfgyv+VkXJWhF8a6dzn5xCklU7qZIJ7KauAFSFzp tDiqQY1odRLVrS7ACRyCI+OANstWhwFcLahnqG5FScGP6/eHo5eaUjLsTcIZcigz vwbdSfJz6UUxlDo+hqHkKKtygFFm/I1W+Fj3LJH3iNldVmJEKf4JKiMsFt9AW9aL +DARetKy7GQ= =adbO -----END PGP SIGNATURE-----