copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » Windows Serv... » ASB-2010.0237.3 - UPDATE [Win][Linux][OSX] Google Ch...
 

ASB-2010.0237.3 - UPDATE [Win][Linux][OSX] Google Chrome prior to 7.0.517.44: Multiple vulnerabilities
Date: 17 November 2010
References: ESB-2010.1066  ESB-2010.1090  ESB-2010.1166  ESB-2011.0083  ESB-2011.0244  ESB-2011.0275  ESB-2011.0287  
Related Files: ASB-2010.0237   ASB-2010.0237.2  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2010.0237.3
                 Google have released an update for Chrome
                             17 November 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome prior to 7.0.517.44
Operating System:     Windows
                      Linux variants
                      Mac OS X
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-4197 CVE-2010-4198 CVE-2010-4199
                      CVE-2010-4200 CVE-2010-4201 CVE-2010-4202
                      CVE-2010-4203 CVE-2010-4204 CVE-2010-4205
                      CVE-2010-4206 CVE-2010-4008 
Member content until: Sunday, December  5 2010

Revision History:     November 17 2010: Added CVE reference
                      November  8 2010: Added CVE references
                      November  5 2010: Initial Release

OVERVIEW

        Google have released an update for Chrome, correcting several security 
        vulnerabilities.


IMPACT

        The vendor has provided the following information regarding these
        vulnerabilities:
        
           "* [51602] High Use-after-free in text editing. Credit to David 
              Bloom of the Google Security Team, Google Chrome Security Team 
              (Inferno) and Google Chrome Security Team (Cris Neckar).
            * [$1000] [55257] High Memory corruption with enormous text area. 
              Credit to wushi of team509.
            * [$1000] [58657] High Bad cast with the SVG use element. Credit to 
              the kuzzcc.
            * [$1000] [58731] High Invalid memory read in XPath handling. 
              Credit to Bui Quang Minh from Bkis (www.bkis.com).
            * [$500] [58741] High Use-after-free in text control selections. 
              Credit to vkouchna.
            * [$1000] [Linux only] [59320] High Integer overflows in font 
              handling. Credit to Aki Helin of OUSPG.
            * [$1000] [60055] High Memory corruption in libvpx. Credit to 
              Christoph Diehl.
            * [$500] [60238] High Bad use of destroyed frame object. Credit to 
              various developers, including gundlach.
            * [$500] [60327] [60769] [61255] High Type confusions with event 
              objects. Credit to fam.lam and Google Chrome Security Team 
              (Inferno).
            * [$1000] [60688] High Out-of-bounds array access in SVG handling.
              Credit to wushi of team509." [1]


MITIGATION

        The latest version of Google Chrome (currently 7.0.517.44) can be
        downloaded from the vendor's website. [2]
                                                                                
        The update can also be applied from within Google Chrome using 
        the built in update feature.


REFERENCES

        [1] Stable Channel Update
            http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html

        [2] Google Chrome - Get a fast new browser. For PC, Mac, and Linux
            http://www.google.com/chrome

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFM42Hr/iFOrG6YcBERAoScAKCg+wp/rTnhbaB2BC+tuyMkZ38+4gCdHDzq
4P2s2WXunqP2QGAzjPzv5/Y=
=r3z8
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/13569