----------------------------------------------------------------------


http://secunia.com/research/

http://secunia.com/company/jobs/open_positions/reverse_engineer


----------------------------------------------------------------------

TITLE:
Google Chrome Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA44375

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44375/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44375

RELEASE DATE:
2011-04-29

DISCUSS ADVISORY:
http://secunia.com/advisories/44375/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/44375/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=44375

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Some vulnerabilities have been reported in Google Chrome, which can
be exploited by malicious people to bypass certain security
restrictions, disclose potentially sensitive information, conduct
spoofing attacks, and potentially compromise a user's system.

1) An unspecified error related to a stale pointer exists within the
handling of floating objects.

2) A linked-list race condition exists within the database handling.

Note: This vulnerability only affects the Linux and Mac versions.

3) The MIME handling does not properly ensure thread safety.

4) An extension with "tabs" permission can gain access to local
files.

5) An integer overflow error exists within the float rendering.

6) An error related to blobs can be exploited to violate the same
origin policy.

7) An unspecified error can be exploited to cause an interference
between renderer processes.

Note: This vulnerability only affects the Linux version.

8) A use-after-free error exists within the handling of "<ruby>" tags
and CSS.

9) A casting error exists within then handling of floating select
lists.

10) An error related to mutation events can be exploited to corrupt
node trees.

11) An unspecified error related to stale pointers exists in the
layering code.

12) A race condition error exists within the sandbox launcher.

Note: This vulnerability only affects the Linux version.

13) Interrupted loads and navigation errors can be leveraged to spoof
the URL bar.

14) An unspecified error related to a stale pointer exists within the
handling of drop-down lists.

15) An unspecified error related to a stale pointer exists within the
height calculations.

16) A use-after-free error exists within the handling of WebSockets. 
  

17) An error related to dangling pointers exists within the handling
of file dialogs.

18) An error related to dangling pointers exists within the handling
of DOM id maps.

19) Redirects and manual reloads can be exploited to spoof the URL
bar.

20) A use-after-free error exists within the handling of DOM ids.

21) An error related to stale pointers exists within the handling of
PDF forms.

SOLUTION:
Upgrade to version 11.0.696.57.

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Chromium Development Community (Scott Hess) and Martin Barbella
2) Chromium Development Community (Kostya Serebryany)
3) Aki Helin
4) Cole Snodgrass
5, 14) miaubiz
6, 13, 17) kuzzcc
7) Google Security Team (Julien Tinnes)
8) Jose A. Vazquez
9) Michael Griffiths
10) Sergey Glazunov and wushi, team 509.
11) Martin Barbella
12) Dan Rosenberg
15) wushi, team 509
16) Marek Majkowski
18, 20) Sergey Glazunov
19) Jordi Chancel
21) Chromium Development Community (Eric Roman)

ORIGINAL ADVISORY:
Google Chrome:
http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-139/
http://www.zerodayinitiative.com/advisories/ZDI-11-140/

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------