copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » Security Bul... » By Operating... » Windows (all) » AA-2009.0112 -- [Win] -- chrome: Execute Arbitrary Code   AA-2009.0112 -- [Win] -- chrome: Execute Arbitrary Code Date: 11 May 2009 Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AA-2009.0112 AUSCERT Advisory [Win] chrome: Execute Arbitrary Code 11 May 2009 - --------------------------------------------------------------------------- AusCERT Advisory Summary ------------------------ Product: Google Chrome Operating System: Windows Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2009-1441 CVE-2009-1442 Member content until: Monday, June 08 2009 OVERVIEW: Two vulnerabilities have been identified in Google Chrome. IMPACT: The vendor describes the issues as follows: "CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to run arbitrary code inside the renderer process." [1] "CVE-2009-1442: Integer overflow in Skia 2D graphics. A failure to check the result of integer multiplication when computing image sizes could allow a specially-crafted image or canvas to cause a tab to crash and it might be possible for an attacker to execute arbitrary code inside the (sandboxed) renderer process." [1] MITIGATION: These issues have been corrected in version 1.0.154.64. [2] REFERENCES: [1] Security Fixes http://googlechromereleases.blogspot.com/2009/05/stable-update-security-fix.html [2] Stable Update: Security Fix http://googlechromereleases.blogspot.com/search/label/Stable%20updates AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKB6AzNVH5XJJInbgRAgg2AJ0ZMpFuqi12dq8dwk6knePyto9A+QCcDsws tmQ/+nOTZt0Z8+gB3HBPjGk= =1nJP -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=10971