---------------------------------------------------------------------- SC World Congress, New York, USA, 16 November 2011 Visit the Secunia booth (#203) and discover how you can improve your handling of third party programs: http://secunia.com/resources/events/sc_2011/ ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46049 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46049/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46049 RELEASE DATE: 2011-09-19 DISCUSS ADVISORY: http://secunia.com/advisories/46049/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46049/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46049 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue and some vulnerabilities have been reported in Google Chrome, where some have an unknown impact and others can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions, and compromise a user's system. 1) A race condition exists within the certificate cache. 2) An error within the Windows Media Player plugin can lead to unintended access to system Flash. 3) An error exists within the v8 script object wrappers. 4) An unspecified error can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 5) An error in the garbage collection component of the PDF plugin can be exploited to corrupt memory. 6) The security issue is caused due to the Mac installer creating lock files in an insecure manner. NOTE: This only affects the Mac version. 7) An error within media buffers can be exploited to cause an out-of-bounds read. 8) A use-after-free error exists within unload event handling. 9) A use-after-free error exists within the document loader. 10) An unspecified error when handling the forward button can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. 11) An error within box handling can be exploited to cause an out-of-bounds read. 12) An error within the handling of Khmer characters can be exploited to cause an out-of-bounds read. 13) An error within video handling can be exploited to cause an out-of-bounds read. 14) An off-by-one error exists within v8. 15) A use-after-free error exists within the plug-in handler. 16) A use-after-free error exists within ruby and table style handing. 17) An error within stylesheet handling can lead to a stale node. 18) An unspecified error within v8 can be exploited to violate the cross-origin policy. 19) A use-after-free error exists within the focus controller. 20) A double free error exists within the handling of libxml XPath. 21) An unspecified error can lead to incorrect permissions being assigned to non-gallery pages. 22) A use-after-free error exists within table style handling. 23) An error within the PDF component can lead to a bad string read. 24) An unspecified error can lead to unintended access of v8 built-in objects. 25) An error when handling Tibetan characters can be exploited to cause an out-of-bounds read. 26) An error when handling triangle arrays can be exploited to cause an out-of-bounds read. 27) A type confusion error exists within v8 object sealing. SOLUTION: Upgrade to version 14.0.835.163. PROVIDED AND/OR DISCOVERED BY: 5) Mario Gomes (C4SS!0 G0M3S). 10) Jordi Chancel. The vendor credits: 1) Ryan Sleevi, Chromium development community. 2) electronixtar. 3, 7) Kostya Serebryany, Chromium development community. 4) kuzzcc. 6) Aaron Sigel, vtty.com. 8, 17) Arthur Gerkis. 9, 11, 12, 19, 22) miaubiz. 13, 25, 26) Inferno, Google Chrome Security Team. 14, 27) Christian Holler. 15) SkyLined, Google Chrome Security Team. 16) Slawomir Blazek, miaubiz, and Inferno, Google Chrome Security Team. 18) Daniel Divricean. 20) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of Sciences. 21) Bernhard 'Bruhns' Brehm, Recurity Labs. 23) Aki Helin, OUSPG. 24) Sergey Glazunov. ORIGINAL ADVISORY: Google: http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html Jordi Chancel: http://www.alternativ-testing.fr/blog/index.php?post/2011/Google-Chrome-Webkit-URL-Bar-Spoofing-SSL/TLS-Spoofing Mario Gomes: http://net-fuzzer.blogspot.com/2011/10/google-chrome-140835163-pdf-file.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------