Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0097
A number of vulnerabilities have been identified in Google Chrome for
Windows, Mac and Linux prior to version 36.0.1985.143
14 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Operating System: Linux variants
Windows
OS X
Impact/Access: Denial of Service -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3167 CVE-2014-3166 CVE-2014-3165
Member content until: Saturday, September 13 2014
OVERVIEW
A number of vulnerabilities have been identified in Google Chrome for
Windows, Mac and Linux prior to version 36.0.1985.143. [1]
IMPACT
The vendor has provided the following details regarding these
issues:
"This update includes 12 security fixes. Below, we highlight fixes
that were either contributed by external researchers or particularly
interesting. Please see the Chromium security page for more
information.
[$2000][390174] High CVE-2014-3165: Use-after-free in web sockets.
Credit to Collin Payne.
[398925] High CVE-2014-3166: Information disclosure in SPDY. Credit
to Antoine Delignat-Lavaud.
As usual, our ongoing internal security work responsible for a wide
range of fixes:
[400950] CVE-2014-3167: Various fixes from internal audits,
fuzzing and other initiatives.
Many of the above bugs were detected using AddressSanitizer." [1]
MITIGATION
The vendor recommends updating to the latest versions of Google
Chrome to correct these issues. [1]
REFERENCES
[1] Stable Channel Update
http://googlechromereleases.blogspot.com.au/2014/08/stable-channel-update.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU+wEqhLndAQH1ShLAQJS1BAAjPn+lDNSAh/d/vgm2pcbY30rYe6LLiFH
X4JqgjZgshtKtEvpV77x8QyQjEzCGw3hFnkJ8EIAV1Wa7+3JmwShKoANonArVNu9
fznN5ZKbzIA8ULl+iRtynQFB6sEBFtpk1hBI//FE90xSXAJdbwbp9doUrbV6VcDv
Atw97ziPxDmLX3MZRL/au0UG+pa6IW2erSjisDA0e8DfMf23ZeRY/7z1iy8KpRZz
SJrRuYXFhden9X7OADXrqmNahl/IfjDne3iyzj4sn/EO3y8wZd+BNcDXLIt3jpTM
ZYRh5hO7LQghjX1kp6I//yNrLJOMbKsYiubecMcWCfEEUvg5K9YNMiZviD794kJD
GrXm8hkzocJ8oaTljSqc0/To9HogJbpiPl43GtENCHeUKjT3s8qWWoHOLhIdb3/J
wbA3MCDGZgtDexUeSiGykUYCx7va/e5B8MDoo1nvs4Lz5yo1ImzrDeMANwNGypyN
cHxqQ9i+nuWbVQDI3iZ/6kKBeLVcb0oCpcaMb77TLC2lvoYrLnhr8qB12K6nb0gN
iPA3U/Tktmc6MW1vLK4tbP/QhRF3mZyUSn0RLJOzLyAb6JcuANfPtvoD16hVNYsW
ic9odQ4x3Qx3AILMnLDOwS56awHSqLISselvent0fwD051dW5WHuehb/x9JFj6dM
AGjMv+wMtg8=
=pBAy
-----END PGP SIGNATURE-----