Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0099 A number of vulnerabilities have been identified in Google Chrome 14 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: UNIX variants (UNIX, Linux, OSX) Windows Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-6763 CVE-2015-6762 CVE-2015-6761 CVE-2015-6760 CVE-2015-6759 CVE-2015-6758 CVE-2015-6757 CVE-2015-6756 CVE-2015-6755 Member content until: Friday, November 13 2015 OVERVIEW A number of vulnerabilities have been identified in Google Chrome prior to version 46.0.2490.71. [1] IMPACT The vendor has provided the following details regarding these issues: "This update includes 24 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. [$8837][519558] High CVE-2015-6755: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. [$6337][507316] High CVE-2015-6756: Use-after-free in PDFium. Credit to anonymous. [$3500][529520] High CVE-2015-6757: Use-after-free in ServiceWorker. Credit to Collin Payne. [$3000][522131] High CVE-2015-6758: Bad-cast in PDFium. Credit to Atte Kettunen of OUSPG. [$1000][514076] Medium CVE-2015-6759: Information leakage in LocalStorage. Credit to Muneaki Nishimura (nishimunea). [$1000][519642] Medium CVE-2015-6760: Improper error handling in libANGLE. Credit to lastland.net. [$500][447860 & 532967] Medium CVE-2015-6761: Memory corruption in FFMpeg. Credit to Aki Helin of OUSPG and anonymous. [$500][512678] Low CVE-2015-6762: CORS bypass via CSS fonts. Credit to Muneaki Nishimura (nishimunea)." [1] "As usual, our ongoing internal security work was responsible for a wide range of fixes: [542517] CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives. Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23)." [1] MITIGATION The vendor recommends updating to the latest version of Google Chrome to correct these issues. [1] REFERENCES [1] Stable Channel Update googlechromereleases.blogspot.com.au/2015/10/stable-channel-update.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVh37lX6ZAP0PgtI9AQJJ/w/+KUTlWhNaOlP1sBGgMHK4ysjJSKrU0v6U 8nvbdS/v9xvyq1Pj650oZT49ZcrK85Vc7z0d0EHMwq2yZDZNNqVZ+TqjkJM+grv/ UnNdESPfFpHlstRnQrYuLSFdUdwOEG9ankAToDsaKqIdqu3MQfb7gT5Yd6onnDMR XdUeM0Njt000zs8vmlz7AWN4CfuoQYfW56h27TQm2ta+Bv0MxciAH+urq/jZlst+ gUJmmUvh7bXHAJJOm363+Y4tCUycsDAX0zxmZciRwCiwDeprBzhAYi0C9+dp/CXS fYhITvXOTu71HsRgpnk1GMb907nM3Crp3CB5qqNAyjjnyootM4C8EWope+TYeNyL nhlX0AukhR9ojqVIs+38KKbKSHs3ImRKbQ/qzsOl4/FONUuRi+1qZY7XvxKW3bOu +UdwUN0J2JNxbkLqCeLR24CW0SR+FSPCb5zAnzqQouCW/27dW6cfsPRGTYU7weiA azWohvr1hBl1dt2dH+x2UMC3HxXk/TWkomAdkYRYym6JGu8geUb4qCzLGCuhkT0G F1GeyT/KMNUVFv3rpx1qGEgs1cprn2E/OAY+Jp5Gp/vNgRne1T9wP9lWbWtRBsCG bVGDnkl3B6NKOwy37yGYyzapt7cpAxbRCVK9Bql6BQS9BdAwnMKn1uDGgAM1Xhcs 6z0yOLv+Xxk= =x9QP -----END PGP SIGNATURE-----