-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0114
  Chrome for Desktop 66.0.3359.170 released with critical security patch
                                11 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-6122 CVE-2018-6121 CVE-2018-6120
Member content until: Sunday, June 10 2018

OVERVIEW

        Multiple vulnerabilities have been identified in Google Chrome for
        Windows, Mac and Linux prior to version 66.0.3359.170. [1]


IMPACT

        The vendor has provided the following summary:
        
        "[$TBD][835887] Critical: Chain leading to sandbox escape. Reported by Anonymous
        on 2018-04-23:
        
          * [836858] High CVE-2018-6121: Privilege Escalation in extensions.
          * [836141] High CVE-2018-6122: Type confusion in V8. 
        
        [$5000][833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by
        Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17
        We would also like to thank all security researchers that worked with us during
        the development cycle to prevent security bugs from ever reaching the stable
        channel.
        
        As usual, our ongoing internal security work was responsible for a wide range
        of fixes
        
          * [841841] Various fixes from internal audits, fuzzing and other initiatives"
        [1]


MITIGATION

        The vendor advises updating to Chrome 66.0.3359.170 to address these issues. [1]


REFERENCES

        [1] Chrome Stable Channel Update for Desktop 66.0.3359.170
            https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvUk3ox+lLeg9Ub1AQg+MRAAjuAnEsFRidqQdC2qDPHxeqCDVPGQEdhf
jZEFuIY9aoGOy9RifZmstTh6fMD//oPcerC12TCuxBx9GCfHoDTa1QBXwMWcnS3F
CrsLmHY/F4Ujn232EYrSXxmlDoLg2jPmM7sLj13hn+pn6hYaJGB8oAm5AJJXbMCe
LsIDTBaIj9wIKhgwgHkk5tdOgfMobqcc9KMtmS+e2e2JM8B17hj7dHDRoJ/nbe86
Qimd0JYv0mIjukcLk03LIobo26pu6V3G0ZnFHHgzxmEHxGb07DX6lC2La4MxZPep
ongAwRVbEHF3Ir9Ngt10io7OdgcX3UgxWl52splfAaJ6RSZ4BWnjCsrL0B7og3pn
wzUJTxYx+T/0youhMMjma0PvFSxvsUDy19YfpjNRqGnwwbvVsnzeILdBZIvVJJxN
6BBarRLZmp7M/RDIfIoGtZXxvlY+26loLxPQIZDEMdIOzOk+lroxKY039oeslIPY
C90b5cqvl8msg5zNswAZlHIy+FqcvmAfQDvpgWiqpvblKvHTEKmGycLlv7j64gEd
H+Cs2O7RP0VqaPeJAqfn/Ij3gh+7rcJ9yxd0wZAPq3lgM8NhLcCdH0mNAw60v8NK
bN/VafcapITFc/2gjGQlUwtqkpwVudp+msLuOY5jFx0GS0Pasu8ijRJW3CvpsSkX
uye/o7zshgY=
=P/e1
-----END PGP SIGNATURE-----