Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0308
Chrome 78.0.3904.70 security and feature update
24 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Chrome
Operating System: Windows
Mac OS
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15903 CVE-2019-13719 CVE-2019-13718
CVE-2019-13717 CVE-2019-13716 CVE-2019-13715
CVE-2019-13714 CVE-2019-13713 CVE-2019-13711
CVE-2019-13710 CVE-2019-13709 CVE-2019-13708
CVE-2019-13707 CVE-2019-13706 CVE-2019-13705
CVE-2019-13704 CVE-2019-13703 CVE-2019-13702
CVE-2019-13701 CVE-2019-13700 CVE-2019-13699
Member content until: Saturday, November 23 2019
OVERVIEW
Google has released Chrome 78 for Windows, Mac and Linux,
featuring 37 security fixes. [1]
IMPACT
Google has provided the following information:
"[$20000][1001503] High CVE-2019-13699: Use-after-free in media. Reported by Man
Yue Mo of Semmle Security Research Team on 2019-09-06
[$15000][998431] High CVE-2019-13700: Buffer overrun in Blink. Reported by Man
Yue Mo of Semmle Security Research Team on 2019-08-28
[$1000][998284] High CVE-2019-13701: URL spoof in navigation. Reported by David
Erceg on 2019-08-27
[$5000][991125] Medium CVE-2019-13702: Privilege elevation in Installer.
Reported by Phillip Langlois (phillip.langlois@nccgroup.com) and Edward
Torkington (edward.torkington@nccgroup.com), NCC Group on 2019-08-06
[$3000][992838] Medium CVE-2019-13703: URL bar spoofing. Reported by Khalil
Zhani on 2019-08-12
[$3000][1001283] Medium CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu,
Microsoft Browser Vulnerability Research on 2019-09-05
[$2000][989078] Medium CVE-2019-13705: Extension permission bypass. Reported by
Luan Herrera (@lbherrera_) on 2019-07-30
[$2000][1001159] Medium CVE-2019-13706: Out-of-bounds read in PDFium. Reported
by pdknsk on 2019-09-05
[$1000][859349] Medium CVE-2019-13707: File storage disclosure. Reported by
Andrea Palazzo on 2018-07-01
[$1000][931894] Medium CVE-2019-13708: HTTP authentication spoof. Reported by
Khalil Zhani on 2019-02-13
[$1000][1005218] Medium CVE-2019-13709: File download protection bypass.
Reported by Zhong Zhaochen of andsecurity.cn on 2019-09-18
[$500][756825] Medium CVE-2019-13710: File download protection bypass. Reported
by bernardo.mrod on 2017-08-18
[$500][986063] Medium CVE-2019-13711: Cross-context information leak. Reported
by David Erceg on 2019-07-20
[$500][1004341] Medium CVE-2019-15903: Buffer overflow in expat. Reported by
Sebastian Pipping on 2019-09-16
[$N/A][993288] Medium CVE-2019-13713: Cross-origin data leak. Reported by David
Erceg on 2019-08-13
[$2000][982812] Low CVE-2019-13714: CSS injection. Reported by Jun Kokatsu,
Microsoft Browser Vulnerability Research on 2019-07-10
[$500][760855] Low CVE-2019-13715: Address bar spoofing. Reported by xisigr of
Tencent's Xuanwu Lab on 2017-08-31
[$500][1005948] Low CVE-2019-13716: Service worker state error. Reported by
Barron Hagerman on 2019-09-19
[$N/A][839239] Low CVE-2019-13717: Notification obscured. Reported by xisigr of
Tencent's Xuanwu Lab on 2018-05-03
[$N/A][866162] Low CVE-2019-13718: IDN spoof. Reported by Khalil Zhani on
2018-07-20
[$N/A][927150] Low CVE-2019-13719: Notification obscured. Reported by Khalil
Zhani on 2019-01-31" [1]
MITIGATION
Google advises updating to Chrome 78.0.3904.70 or later to address
these vulnerabilities. [1]
REFERENCES
[1] 78.0.3904.70 Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXbEpOWaOgq3Tt24GAQgXJhAAzyDBy7j6cFpAQqqW4onD9axsuWXSqOC8
FV1qmZziClUMboshSJ9ksuLiXhva8L0dyCeM1PpjkN2Q52YQPqhx3F6B9415evwH
nxc4j6sa5n/PPpqCTWlyMk+6grsYfaqk6FDgomCJy6rJe+vsIQu0NYtIrHh+P9ZT
QUabvia8QMfohjXWPM/ttTHZ2WW2a6yoQz6WoCS0pvXLLeBCurlDaZrTRVU4VQ8w
uZxrwZSepsRsR3cSwGazU8hVmPkVvZAflLdey5ojoZ33Q9gMlwR5lpCLfUUrZb+1
i7pgh17muH/S2AGrqLbPw3Pj8baEqI39Fx/5dtL64gESvYRgf/ldglTUWcoKnxlH
2N+TyWJazfXPxg7/u1UK8elFQfmadZip37OEfWt1w6FLrUsq/MMS6/MX01dvqVn6
r9FFWxCZtd4bI69e35+p0j6lBwFLY5r/vgcnvhKp3Gj7SOVAKq13lQzl1BBgclPR
szS5dez0cxL6AcTyWSgQyYGBh+lvcYeQN/Cz5fcNzHG5PuRl1zqBVahxwymestH7
UjBDQkGURZdQN6Se2hg0SXZ3QlZU1/rasEySkT3VGoPgzvAVatMW5bEyTG2rNbHg
+1uxMmHQpplulO+gz2iXfHpDbhor48EYPBBCQbjCrtDTnND89U/uxvk6VFkNfHKd
p2hb8/Ejg8o=
=+kBp
-----END PGP SIGNATURE-----