Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0018 A number of vulnerabilities have been identified Google Chrome 24 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows Mac OS Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2013-6661 CVE-2013-6660 CVE-2013-6659 CVE-2013-6658 CVE-2013-6657 CVE-2013-6656 CVE-2013-6655 CVE-2013-6654 CVE-2013-6653 CVE-2013-6652 Member content until: Wednesday, March 26 2014 OVERVIEW A number of vulnerabilities have been identified Google Chrome prior to version 33.0.1750.117 for Windows, Mac and Linux. IMPACT The vendor has provided the following details regarding these vulnerabilities: "This update includes 28 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information. [$2000][334897] High CVE-2013-6652: Issue with relative paths in Windows sandbox named pipe policy. Credit to tyranid. [$1000][331790] High CVE-2013-6653: Use-after-free related to web contents. Credit to Khalil Zhani. [$3000][333176] High CVE-2013-6654: Bad cast in SVG. Credit to TheShow3511. [$3000][293534] High CVE-2013-6655: Use-after-free in layout. Credit to cloudfuzzer. [$500][331725] High CVE-2013-6656: Information leak in XSS auditor. Credit to NeexEmil. [$1000][331060] Medium CVE-2013-6657: Information leak in XSS auditor. Credit to NeexEmil. [$2000][322891] Medium CVE-2013-6658: Use-after-free in layout. Credit to cloudfuzzer. [$1000][306959] Medium CVE-2013-6659: Issue with certificates validation in TLS handshake. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco, Inria Paris. [332579] Low CVE-2013-6660: Information leak in drag and drop. Credit to bishopjeffreys. As usual, our ongoing internal security work responsible for a wide range of fixes: [344876] Low-High CVE-2013-6661: Various fixes from internal audits, fuzzing and other initiatives. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers. Many of the above bugs were detected using AddressSanitizer." MITIGATION The vendor recommends updating to the latest version of Google Chrome to correct these issues. [1] REFERENCES [1] Stable Channel Update http://googlechromereleases.blogspot.com.au/2014/02/stable-channel-update_20.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUwqvDBLndAQH1ShLAQIIPA/+LqVMh9uinbc0mfToitTHgFDi8seHgIvl rAyE95yZoe39UvoeGLjKJnrRp3JYH0G+MIymISGkDqX1PV5xybCmWK6z/s4IiwtF FhUDGA3PDylZsX73+J0nKQnXNnU2D8GeP53MsYcQ6EbBzfFKnMu3zRcwwVRbMSTR zmGjR3tDmZNWSgIlWo+TwBN6C/40ShgR6xLqSuLs7VfjWvV0Cmw3a2C9+Ezm0UW4 BjUSY26fKFJdAZM1u+jOgex7R7cuUYMIQZWiFH40CaRhv1pzfb5Aso8qXURGu46w Fv7p09ZFrDj3y5IK+gsRGrPlfzkWh0KPSzQkmJPm+2zT3WzWYS8Ho3At0aki0nhQ HAZQDhzeqXXF5b5h7Ci6Agh62/C14FqhdU2BpwQ9sgjlBK4TSIaucDYj5nejjemf 60qHB7zqo6cSvgtuarYouyRUZu+RGRIRVkRCAPaA8aALDIA0MJ2pL/dDjX/tOK9K Vbf+HlBchUgppWN3H2Z6MbIXZFViWw3vUfQK2IHjJ3tmHw9qKJGqqgZb2H0BFUN0 XcoFpMWxc0p7ynBkpKRuactQr611hGiAB4t2x7Z1S5AB4kvlFQH078IG27QgexRy BVbYAfuBnHp9aYUYILSRY5mUwfaS3eION7lVx45zS74NFJ8w+8k6hbZBp/GPpQKy ezaqAOsE+fc= =9ljH -----END PGP SIGNATURE-----