Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0008 Multiple vulnerabilities have been identified in Google Chrome 26 January 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows OS X Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5026 CVE-2017-5025 CVE-2017-5024 CVE-2017-5023 CVE-2017-5022 CVE-2017-5021 CVE-2017-5020 CVE-2017-5019 CVE-2017-5018 CVE-2017-5017 CVE-2017-5016 CVE-2017-5015 CVE-2017-5014 CVE-2017-5013 CVE-2017-5012 CVE-2017-5011 CVE-2017-5010 CVE-2017-5009 CVE-2017-5008 CVE-2017-5007 CVE-2017-5006 Member content until: Saturday, February 25 2017 OVERVIEW Multiple vulnerabilities have been identified in Google Chrome prior to version 56.0.2924.76 [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "[$8837][671102] High CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski [$8000][673170] High CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski [$8000][668552] High CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski [$7500][663476] High CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski [$3000][662859] High CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil Zhani [$3000][667504] High CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford [$5500][681843] High CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy (Tresorit) [$2000][677716] Medium CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah) [$2000][675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip [$2000][673971] Medium CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou [$2000][666714] Medium CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar [$1000][673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang (@gnehsoah) [$500][676975] Medium CVE-2017-5017: Uninitialised memory access in webm video. Credit to danberm [$500][668665] Medium CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu [$TBD][668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu [$N/A][663726] Low CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu [$N/A][663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to ??? of ??????PKAV Team [$N/A][651443] Low CVE-2017-5023: Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC) [$N/A][643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to Paul Mehta [$N/A][643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to Paul Mehta [$500][634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing" [1] MITIGATION The vendor advises users to upgrade to the latest version to fix these issues. [1] REFERENCES [1] Stable Channel Update for Desktop https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWImC3ox+lLeg9Ub1AQiF0Q/8DGTKUBURFAH+9Zq/J1vdjLl5XdmzqBx1 P9KEXfW03r1tNubca9cLMzE/Bk8lxPuRcfyJ0cEcrSbT85L6ktJyFncbBwkq6wHI 1fBJ4AFegoMc35qPjW63zO9kD/6ZmbKFICgRBYyDM2slQ6Q+YILylz8WJFPTKpFe 4kqZB/H8sf3vdR46iRh5HZGFHGvzUDexkUVeTm26qKX/WPjG7DqkAJ2V/rl05IGa k6I9v5A//kpCmUNTIV1XIDAxWfKP5ZS2Pqs+evyso3cFSStNiM/YIpuKfMUJRoKN 8V+LjKUx8bJKMscuLlHYlreGH6bsNqNJrf6eGZe0zkIb1ryqLKSwcdf1q38m6LTJ sNhqyI6ZqLyUQw9P3KbsE+SFgWqjDpVW0Vz4luBjFs8h8/7dZvdSWzd2D0YmNpiw Nch2hL6UUJXd38MA0jVChnrCpHYFe7cKmToQpPUVsJ/aMtzlVADhUJkwDbYhZhVe m3qJqb1bs33JMDh7cV89wtI7M71i67Xy4WckOqzDXeJizRVNcaVfvwacgfwpPV4O Ay0LoUR3u7tDMMAPtChswS/aRWe9angmI9Smwdz3O6Yri1emoqdnYFZ2uYycKo5v sHyzKzUXiD0N/W6BdHgUAXuDfsXBTD3PzryBAjmjcp1smSkABMh/O+c0qZ6VOm1p zVe11uFS3VQ= =WDuI -----END PGP SIGNATURE-----