Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0078 A number of vulnerabilities have been identified in Google Chrome 18 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows OS X Linux variants Android Impact/Access: Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2014-3162 CVE-2014-3161 CVE-2014-3160 CVE-2014-3159 Member content until: Sunday, August 17 2014 OVERVIEW A number of vulnerabilities have been identified in Google Chrome for Windows, Mac and Linux prior to version 36.0.1985.125 and Google Chrome for Android prior to version 36.0.1985.122. [1, 2] IMPACT The vendor has provided the following details regarding these issues: Chrome for Windows, Mac and Linux: "This update includes 26 security fixes. Below, we highlight fixes that were either contributed by external researchers or particularly interesting. Please see the Chromium security page for more information. [$2000][380885] Medium CVE-2014-3160: Same-Origin-Policy bypass in SVG. Credit to Christian Schneider. As usual, our ongoing internal security work responsible for a wide range of fixes: [393765] CVE-2014-3162: Various fixes from internal audits, fuzzing and other initiatives. Many of the above bugs were detected using AddressSanitizer." [1] Chrome for Android: "[$3000][352083] High CVE-2014-3159: Omnibox URL Spoofing (Android). Credit to Keita Haga. [334204] Medium CVE-2014-3161: Same origin policy bypass (Android). Credit to HÃ¥vard Molland from Opera" [2] MITIGATION The vendor recommends updating to the latest versions of Google Chrome to correct these issues. [1, 2] REFERENCES [1] Stable Channel Update http://googlechromereleases.blogspot.com.au/2014/07/stable-channel-update.html [2] Chrome for Android Update http://googlechromereleases.blogspot.com.au/2014/07/chrome-for-android-update.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8h5YBLndAQH1ShLAQJvPA/8CsHMqQZiI2CJDfV4RMQpKxgo2lNzJwfM NfYjltvW6lB7vFUX8saIYkBZ9vZCReWeKdQVphqDgdWsWwrc0Vl1C+pKIf+UFA/m QMWyt3kWf9V4PtZ59FKdb2pG85fHVceeLYWvMNSOX0IuzL2lEG2ZO3KJAPUiazCs xnz/Lg9DRAP5mKhwWOd6m/DAUrDWnYKAfla7yZt3LoQSjhD/vAIYphLgTywlAjWt yLbaX0PxQy6qb16T+SBjqPrNHUb1AWJ4o6yI+PdTMoM64X+SV37/CgIUy3iTF06E nUl8UmXjuF3T6ztj1hiMyGJYevQnMH8N1gzBHQTcFD8RmBq56bqQVZq5Icb420Aj rlkW9iSLpU8nrEn4FCq4TlYZySFV7623iVIUKzgr290e7UPiMSHGj60ezDimO/yl 1/5ZfDJZQmWZisdzEwkkdmeTaXac5vVHNmpbS4By2JN8IwzvB6i2wljnAI1zEJ8X tRJbUgdo6AZdY7P3Uh8GiCHEA6cB8vHUJn11R0OfZ28Muj+sWoZ8sW2H1J4RiGgZ 786jce4K5pNgxFXxTmz0uONtOJsfh5e2u7EHnf3t8xEPYgadfON8jLKuGxkq2iWK UT25n7+k7sS8xvrA6RaGeHt886nNWqf3ymi6ZOrb1qVvlYkMS8+sYX8fXG74UrkE zahY67w+0bc= =Mj7Q -----END PGP SIGNATURE-----