-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0099
     A number of vulnerabilities have been identified in Google Chrome
                              14 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-6763 CVE-2015-6762 CVE-2015-6761
                      CVE-2015-6760 CVE-2015-6759 CVE-2015-6758
                      CVE-2015-6757 CVE-2015-6756 CVE-2015-6755
Member content until: Friday, November 13 2015

OVERVIEW

        A number of vulnerabilities have been identified in Google Chrome
        prior to version 46.0.2490.71. [1]


IMPACT

        The vendor has provided the following details regarding these 
        issues:
        
        "This update includes 24 security fixes. Below, we highlight fixes
        that were contributed by external researchers. Please see the 
        Chromium security page for more information.
        
        [$8837][519558] High CVE-2015-6755: Cross-origin bypass in Blink. 
        Credit to Mariusz Mlynski.
        
        [$6337][507316] High CVE-2015-6756: Use-after-free in PDFium. Credit
        to anonymous.
        
        [$3500][529520] High CVE-2015-6757: Use-after-free in ServiceWorker.
        Credit to Collin Payne.
        
        [$3000][522131] High CVE-2015-6758: Bad-cast in PDFium. Credit to 
        Atte Kettunen of OUSPG.
        
        [$1000][514076] Medium CVE-2015-6759: Information leakage in 
        LocalStorage. Credit to Muneaki Nishimura (nishimunea).
        
        [$1000][519642] Medium CVE-2015-6760: Improper error handling in 
        libANGLE. Credit to lastland.net.
        
        [$500][447860 & 532967] Medium CVE-2015-6761: Memory corruption in 
        FFMpeg. Credit to Aki Helin of OUSPG and anonymous.
        
        [$500][512678] Low CVE-2015-6762: CORS bypass via CSS fonts. Credit
        to Muneaki Nishimura (nishimunea)." [1]
        
        "As usual, our ongoing internal security work was responsible for a
        wide range of fixes:
        
        [542517] CVE-2015-6763: Various fixes from internal audits, 
        fuzzing and other initiatives.
        
        Multiple vulnerabilities in V8 fixed at the tip of the 4.6 
        branch (currently 4.6.85.23)." [1]


MITIGATION

        The vendor recommends updating to the latest version of Google
        Chrome to correct these issues. [1]


REFERENCES

        [1] Stable Channel Update
            googlechromereleases.blogspot.com.au/2015/10/stable-channel-update.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVh37lX6ZAP0PgtI9AQJJ/w/+KUTlWhNaOlP1sBGgMHK4ysjJSKrU0v6U
8nvbdS/v9xvyq1Pj650oZT49ZcrK85Vc7z0d0EHMwq2yZDZNNqVZ+TqjkJM+grv/
UnNdESPfFpHlstRnQrYuLSFdUdwOEG9ankAToDsaKqIdqu3MQfb7gT5Yd6onnDMR
XdUeM0Njt000zs8vmlz7AWN4CfuoQYfW56h27TQm2ta+Bv0MxciAH+urq/jZlst+
gUJmmUvh7bXHAJJOm363+Y4tCUycsDAX0zxmZciRwCiwDeprBzhAYi0C9+dp/CXS
fYhITvXOTu71HsRgpnk1GMb907nM3Crp3CB5qqNAyjjnyootM4C8EWope+TYeNyL
nhlX0AukhR9ojqVIs+38KKbKSHs3ImRKbQ/qzsOl4/FONUuRi+1qZY7XvxKW3bOu
+UdwUN0J2JNxbkLqCeLR24CW0SR+FSPCb5zAnzqQouCW/27dW6cfsPRGTYU7weiA
azWohvr1hBl1dt2dH+x2UMC3HxXk/TWkomAdkYRYym6JGu8geUb4qCzLGCuhkT0G
F1GeyT/KMNUVFv3rpx1qGEgs1cprn2E/OAY+Jp5Gp/vNgRne1T9wP9lWbWtRBsCG
bVGDnkl3B6NKOwy37yGYyzapt7cpAxbRCVK9Bql6BQS9BdAwnMKn1uDGgAM1Xhcs
6z0yOLv+Xxk=
=x9QP
-----END PGP SIGNATURE-----