Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0081 Multiple vulnerabilities have been identified in Google Chrome 6 June 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: UNIX variants (UNIX, Linux, OSX) Windows OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5086 CVE-2017-5085 CVE-2017-5083 CVE-2017-5082 CVE-2017-5081 CVE-2017-5080 CVE-2017-5079 CVE-2017-5078 CVE-2017-5077 CVE-2017-5076 CVE-2017-5075 CVE-2017-5074 CVE-2017-5073 CVE-2017-5072 CVE-2017-5071 CVE-2017-5070 Member content until: Thursday, July 6 2017 OVERVIEW Multiple vulnerabilities have been identified in Google Chrome prior to version 59.0.3071.86. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "[$7500][722756] High CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16 [$3000][715582] High CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26 [$3000][709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07 [$2000][716474] High CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28 [$1000][700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09 [$2000][678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05 [$1000][722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16 [$1000][719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06 [$1000][716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28 [$1000][711020] Medium CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12 [$500][713686]Medium CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20 [$500][708819] Medium CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05 [$N/A][672008] Medium CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07 [$N/A][721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11 [$N/A][714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24 [$N/A][692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15" [1] MITIGATION The vendor advises users to upgrade to the latest version to fix these issues. REFERENCES [1] Stable Channel Update for Desktop https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWTY70ox+lLeg9Ub1AQj9gQ/+JDs9JvOVU0E2/mUpBJXimSXWxxMWFAND mw/Nw6TnZqO8nZ0F3GxcpRT66NQEBYDlqpfZrSB0D7H8+q0Z/YKSw+zd8G1XIMh6 N1QTZFI6WVkO6nVIlRnWls2f2RV11ccIoBbOy+HCnJsct8Sde0ZLxVoX17AzCcmo fV0HdbLcBVcm/7SL0oA2Fv1eXU+bS38QccvB4PdBXRZWqf25J6ndKvPkJIb3gP8f Bnmhlt25AE6N1IQxN+yQoBA2nuaZu2Q2Qedskd/kfSFQHHJHt+0fdqVq755meoX1 lDoHqdQxr+qSt4Kfnzh//od/sQfO2LBo1DcYUGQBj+vpG2I42Qx1359Gy1kxJG+k Ze41ffbwpp+C0KIOpYF5JxcZ2BwqxqS3s6ZCCJm/Lz1Zgg16c0c9tgWyWzlRq0eM 90VGg0GgyzxANDIJlxhgj5p2QnOnn/uUTUXnkHmSOg20nC4NWenQyO/FsaVToYSj alE5WxI8oIx948d2+KKB6/0QvZ5/IS/tYtHj2pBzT/Qi67HWFBqh15dgDG1LdUXu eJqkFA3fgTRIyrwCNuDz6B934AGEeBo69u/fQ+sKgxkKS/rwZFf7VcqIzL5HJtCZ aFKJ512KwzNkQFd2mLXR8qkXzA2RV985NL6nvE0XP44gwjLXjmV4NBOhb7APHBIn oXyLi1TFXlI= =urG/ -----END PGP SIGNATURE-----