Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0114 Chrome for Desktop 66.0.3359.170 released with critical security patch 11 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-6122 CVE-2018-6121 CVE-2018-6120 Member content until: Sunday, June 10 2018 OVERVIEW Multiple vulnerabilities have been identified in Google Chrome for Windows, Mac and Linux prior to version 66.0.3359.170. [1] IMPACT The vendor has provided the following summary: "[$TBD][835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23: * [836858] High CVE-2018-6121: Privilege Escalation in extensions. * [836141] High CVE-2018-6122: Type confusion in V8. [$5000][833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. As usual, our ongoing internal security work was responsible for a wide range of fixes * [841841] Various fixes from internal audits, fuzzing and other initiatives" [1] MITIGATION The vendor advises updating to Chrome 66.0.3359.170 to address these issues. [1] REFERENCES [1] Chrome Stable Channel Update for Desktop 66.0.3359.170 https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWvUk3ox+lLeg9Ub1AQg+MRAAjuAnEsFRidqQdC2qDPHxeqCDVPGQEdhf jZEFuIY9aoGOy9RifZmstTh6fMD//oPcerC12TCuxBx9GCfHoDTa1QBXwMWcnS3F CrsLmHY/F4Ujn232EYrSXxmlDoLg2jPmM7sLj13hn+pn6hYaJGB8oAm5AJJXbMCe LsIDTBaIj9wIKhgwgHkk5tdOgfMobqcc9KMtmS+e2e2JM8B17hj7dHDRoJ/nbe86 Qimd0JYv0mIjukcLk03LIobo26pu6V3G0ZnFHHgzxmEHxGb07DX6lC2La4MxZPep ongAwRVbEHF3Ir9Ngt10io7OdgcX3UgxWl52splfAaJ6RSZ4BWnjCsrL0B7og3pn wzUJTxYx+T/0youhMMjma0PvFSxvsUDy19YfpjNRqGnwwbvVsnzeILdBZIvVJJxN 6BBarRLZmp7M/RDIfIoGtZXxvlY+26loLxPQIZDEMdIOzOk+lroxKY039oeslIPY C90b5cqvl8msg5zNswAZlHIy+FqcvmAfQDvpgWiqpvblKvHTEKmGycLlv7j64gEd H+Cs2O7RP0VqaPeJAqfn/Ij3gh+7rcJ9yxd0wZAPq3lgM8NhLcCdH0mNAw60v8NK bN/VafcapITFc/2gjGQlUwtqkpwVudp+msLuOY5jFx0GS0Pasu8ijRJW3CvpsSkX uye/o7zshgY= =P/e1 -----END PGP SIGNATURE-----