Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0225
Google Chrome: Stable Channel Update for Desktop
31 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5865 CVE-2019-5864 CVE-2019-5863
CVE-2019-5862 CVE-2019-5861 CVE-2019-5860
CVE-2019-5859 CVE-2019-5858 CVE-2019-5857
CVE-2019-5856 CVE-2019-5855 CVE-2019-5854
CVE-2019-5853 CVE-2019-5852 CVE-2019-5851
CVE-2019-5850
Member content until: Friday, August 30 2019
OVERVIEW
Multiple security vulnerabilities have been addressed in Google
Chrome version 76.0.3809.87 [1]
IMPACT
The vendor has provided the following information:
"This update includes 43 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$10000][977462] High CVE-2019-5850: Use-after-free in offline page
fetcher. Reported by Brendon Tiszka on 2019-06-21
[$6000][956947] High CVE-2019-5860: Use-after-free in PDFium. Reported by
Anonymous on 2019-04-26
[$3000][976627] High CVE-2019-5853: Memory corruption in regexp
length check. Reported by yngwei(@yngweijw) of IIE Varas and
sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19
[$3000][977107] High CVE-2019-5851: Use-after-poison in offline audio
context. Reported by Zhe Jin,Luyao Liu from Chengdu Security Response
Center of Qihoo 360 Technology Co. Ltd on 2019-06-20
[$TBD][959438] High CVE-2019-5859: res: URIs can load alternative
browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03
[$5000][964245] Medium CVE-2019-5856: Insufficient checks on filesystem:
URI permissions. Reported by Yongke Wang of Tencent's Xuanwu Lab
(xlab.tencent.com) on 2019-05-17
[$N/A][943494] Medium CVE-2019-5863: Use-after-free in WebUSB on
Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Security Platform
Department on 2019-03-19
[$N/A][964872] Medium CVE-2019-5855: Integer overflow in PDFium. Reported
by Zhen Zhou of NSFOCUS Security Team on 2019-05-20
[$TBD][973103] Medium CVE-2019-5865: Site isolation bypass from compromised
renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11
[$500][960209] Low CVE-2019-5858: Insufficient filtering of Open URL service
parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07
[$500][936900] Low CVE-2019-5864: Insufficient port filtering in CORS for
extensions. Reported by Devin Grindle on 2019-02-28
[$TBD][946260] Low CVE-2019-5862: AppCache not robust to compromised
renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research
on 2019-03-26
[$TBD][951525] Low CVE-2019-5861: Click location incorrectly
checked. Reported by Robin Linus ( robinlinus.com ) on 2019-04-10
[$N/A][961237] Low CVE-2019-5857: Comparison of -0 and null yields
crash. Reported by cloudfuzzer on 2019-05-09
[$N/A][966263] Low CVE-2019-5854: Integer overflow in PDFium text
rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23
[$TBD][976713] Low CVE-2019-5852: Object leak of utility functions. Reported
by David Erceg on 2019-06-19 " [1]
MITIGATION
It is recommended that users update to version 76.0.3809.87 as soon as possible.
REFERENCES
[1] Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop_30.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUE+omaOgq3Tt24GAQgD2BAAlyLSU/pmDCHOGGrkjemjzguBwxOSqswo
i6wp//sOerNBFBFyZbRC6rwWn1GrZ8bc1lMl6fduuXmSoeOljtEdntFdiqOAXXFn
ybewvmKe5RTHgPfMXGHAIf1hCU14/ymDMonHsuJtGuA2q0fee1qScf+WhZzFEvn4
YkuytDfgvXIp9jY4Et/mhpMCs58E/BfInHLaI3SN8Rt+IYbZPNnvizNtrNRiC7db
YTMMPMATtKK33DUrcLwhWRs0+aNq8LQhFIduC77+/do/wPVzRhcePfOQmiT3jIdQ
rREN15NELkAqhWWUnhSUwmUIvkJL7QnblmzBYAdlbuT/i0vWkuh7T1Vyfy3IJEXZ
8eNlT3sdWtH0IfRWSMJJwgUyKXYLI11rTdfM3i1nbUmp8iCf+mPA65ZsrzO8CMuq
6S4uWSPimdxb0z/YPuUr2jzBHtpbJKVrfwoEnpAIGdDRwR2YQyRROi5dNn3Mpgy5
f6uvNzsncg5AxdoKRJK3oy/22PNU9ADo1tpX5svC/FNeXeClVp+78b42UAXBGaEE
nrQJZMrWKBRW/Qb09Jppr0IaEiSgQtYufmynP/v2Jv3ciH2BhyKWzsXAhdNBL+du
EuP6KXl9O7OokU4Kajg7e7fBIxOwwRqTBVEOelROToj+QDbulPPcZihAYuqxWLm3
4ImupB6TjbI=
=XWmh
-----END PGP SIGNATURE-----