05 March 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0035 A number of vulnerabilities have been identified in Google Chrome 5 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows Linux variants OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0911 CVE-2013-0910 CVE-2013-0909 CVE-2013-0908 CVE-2013-0907 CVE-2013-0906 CVE-2013-0905 CVE-2013-0904 CVE-2013-0903 CVE-2013-0902 Member content until: Thursday, April 4 2013 OVERVIEW A number of vulnerabilities have been identified in Google Chrome prior to versions 25.0.1364.152 for Windows, Linux and Mac.  IMPACT The vendor has provided the following details regarding these vulnerabilities: "[$1000]  High CVE-2013-0902: Use-after-free in frame loader. Credit to Chamal de Silva. [$1000]  High CVE-2013-0903: Use-after-free in browser navigation handling. Credit to Ã¢Â€Âœchromium.khalilÃ¢Â€Â. [$2000]   High CVE-2013-0904: Memory corruption in Web Audio. Credit to Atte Kettunen of OUSPG. [$1000]  High CVE-2013-0905: Use-after-free with SVG animations. Credit to Atte Kettunen of OUSPG.  High CVE-2013-0906: Memory corruption in Indexed DB. Credit to Google Chrome Security Team (JÃƒÂ¼ri Aedla).  Medium CVE-2013-0907: Race condition in media thread handling. Credit to Andrew Scherkus of the Chromium development community.  Medium CVE-2013-0908: Incorrect handling of bindings for extension processes.  Low CVE-2013-0909: Referer leakage with XSS Auditor. Credit to Egor Homakov.  Medium CVE-2013-0910: Mediate renderer -> browser plug-in loads more strictly. Credit to Google Chrome Security Team (Chris Evans).  High CVE-2013-0911: Possible path traversal in database handling. Credit to Google Chrome Security Team (JÃƒÂ¼ri Aedla)."  MITIGATION The vendor recommends updating to the latest version of Google Chrome to correct these issues.  REFERENCES  Stable Channel Update http://googlechromereleases.blogspot.com.au/2013/03/stable-channel-update_4.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUTVeAe4yVqjM2NGpAQJb0xAAn67U+j8B3ArJ5D/PE+RHUKDNsaJGqVDq iiP6V9d8Pixz5aQAoo7nZGyWO54Tm/0stkfSiPH1z4P4RHniykpOfEwscfmy9qW2 O2RzLXQvpKi1C49yFJaXmFT/2fI6Tb7CZhkLe3X5Mp7tVyia2Uw0IrEb0MghoReD Ud0TYkZyy311Ys3GKw01hvtUH7FAaccCn/m4FwNJQiXK2+LGXVHVFLOZWVLkALS9 t4I7Jm+7M0eL8kCiUHqsrVNT+XII5UmfhZIBNRa5n2LA/2NzIgdIgf/2pwgLkmnC s8k/+b0xAs4aIZMZRcp/QLaa9CPMjJnMAEQehcJ3+X4O/46RdEyCQdUVU9icS8ny JHKZA7RTYZF6jsDdnmjZhzolDcjPvaSNHPSa+wnKwC9yYdvRg8Ewge1lpa+tJFGO q/cylrlzV+/MD3Du2SyAIN5LAgmoF0Y8aDaZTcaeIjG/eES0kaS60mSVQ/NSmqCK yd5cF9/+4X1FuzYZwK1jZ3Me/Z4nqr7Vtg2WkAqFm26U10vc7+KiCAsQHXM4wV5I ssVruecl3HIRaVPCd/3HQJskZBA9mh52PxJ2nviFiCJ5L2jAtG14lHJDdJlnIri3 YqDiX6t+1dHAcivxA8mWsIOl5/EV/yLi4fSbxUHCMyYrdbAJvCPp+mntzh+13VRP jnUJ2vkp4JA= =zkqU -----END PGP SIGNATURE-----