Operating System:

[WIN][LINUX][MAC]

Published:

15 September 2016

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ASB-2016.0090 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0090
      Multiple vulnerabilities have been identified in Google Chrome
                             15 September 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      OS X
                      Linux variants
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-5175 CVE-2016-5174 CVE-2016-5173
                      CVE-2016-5172 CVE-2016-5171 CVE-2016-5170
Member content until: Saturday, October 15 2016

OVERVIEW

        Multiple vulnerabilities have been identified in Google Chrome prior
        to version 53.0.2785.113. [1]


IMPACT

        The vendor has provided the following information:
        
        "This update includes these security fixes. Below, we highlight 
        fixes that were contributed by external researchers, including those
        not already mentioned in recent release notes. Please see the Chrome
        Security Page for more information
        
        [$TBD][641101] High CVE-2016-5170: Use after free in Blink. Credit 
        to Anonymous
        
        [$TBD][643357] High CVE-2016-5171: Use after free in Blink. Credit 
        to Anonymous
        
        [$TBD][616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8. 
        Credit to Choongwoo Han
        
        [$3000][468931] Medium CVE-2016-5173: Extension resource access. 
        Credit to Anonymous
        
        [$1000][579934] Medium CVE-2016-5174: Popup not correctly 
        suppressed. Credit to Andrey Kovalev (@L1kvID) Yandex Security Team
        
        We would also like to thank all security researchers that worked 
        with us during the development cycle to prevent security bugs from 
        ever reaching the stable channel.
        
        As usual, our ongoing internal security work was responsible for a 
        wide range of fixes:
        
        - [646394] CVE-2016-5175: Various fixes from internal audits, 
        fuzzing and other initiatives." [1]


MITIGATION

        The vendor recommends updating to the latest version. [1]


REFERENCES

        [1] Stable Channel Update for Desktop
            https://googlechromereleases.blogspot.com.au/2016/09/stable-channel-update-for-desktop_13.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV9o9bYx+lLeg9Ub1AQiHeg//cToieSJN8sB7ismB4HoNzGSFhyKfltpw
J7jg1XJ3J53b+GWfJ3lCFzf8v8OuPk8szjh8kXns3Ow4mt8awbdvhRkgy8awF5DC
jHC9/aT2AplD//nv63arXotSZ130P0LAkKKNoIFlv27tAw536aF6NUUG/ic30tSf
8Su2Ql0ZN3T7O52aWk6bKwuO8H7ZWxlQyNvDWugQPtWjAreMEOheKNvwhCc2wPLL
c4dOHi53XX5id5BoWbx8P686Qv3vfR4AKpZJ2S94WnD5OnFi5vZuuQfR95jupT7Z
tgpxv4ArxjwVpTbznxWNQC/MliP+T1Q96Ds2K7/VtWBUGmSw6t8oZ6suhz3c3MAB
uBkrbemUEw4msfuhTsO8w0NprEnhDDGndVua5pR0ZSbCzd29DvYIYpmAqsA9ShCI
ngTSjMfc6iHNJcrSQsrcMZ+CHEkOxbetpl2vEui7CiYVHzSpaHxMWR+OYuX02Bo5
Cd4LRAf1st3kPJZ88hfb+Ufv0U19hD3EXdu0nyBStvXaNnkj4Zgb0U6nxupyYGrA
zS8y000rmN7ztFmgY0fCZ0Z+v9Nk7GGId7gqiDimYSMiqPWOnQBAh1HDNNO4h2Qx
ZC9PnjZRvKB43bwToijc7Ayz02sRynvqOB5u3chh/tNKo/ndtbZ7Uo+gYjaC0ovQ
ebEsHKalBIo=
=sKoQ
-----END PGP SIGNATURE-----