Operating System:

[WIN][LINUX][MAC][Android]

Published:

18 July 2014

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2014.0078 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0078
     A number of vulnerabilities have been identified in Google Chrome
                               18 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      OS X
                      Linux variants
                      Android
Impact/Access:        Provide Misleading Information -- Remote with User Interaction
                      Unauthorised Access            -- Remote with User Interaction
                      Reduced Security               -- Unknown/Unspecified         
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-3162 CVE-2014-3161 CVE-2014-3160
                      CVE-2014-3159  
Member content until: Sunday, August 17 2014

OVERVIEW

        A number of vulnerabilities have been identified in Google Chrome for
        Windows, Mac and Linux prior to version 36.0.1985.125 and Google Chrome
        for Android prior to version 36.0.1985.122. [1, 2]


IMPACT

        The vendor has provided the following details regarding these 
        issues:
        
        Chrome for Windows, Mac and Linux: "This update includes 26 security
        fixes. Below, we highlight fixes that were either contributed by 
        external researchers or particularly interesting.
        
        Please see the Chromium security page for more information.
        
        [$2000][380885] Medium CVE-2014-3160: Same-Origin-Policy bypass in 
        SVG. Credit to Christian Schneider.
        
        As usual, our ongoing internal security work responsible for a wide
        range of fixes:
        
        [393765] CVE-2014-3162: Various fixes from internal audits, fuzzing
        and other initiatives.
        
        Many of the above bugs were detected using AddressSanitizer." [1]
        
        Chrome for Android: "[$3000][352083] High CVE-2014-3159: Omnibox 
        URL Spoofing (Android). Credit to Keita Haga.
        
        [334204] Medium CVE-2014-3161: Same origin policy bypass (Android).
        Credit to HÃ¥vard Molland from Opera" [2]


MITIGATION

        The vendor recommends updating to the latest versions of Google
        Chrome to correct these issues. [1, 2]


REFERENCES

        [1] Stable Channel Update
            http://googlechromereleases.blogspot.com.au/2014/07/stable-channel-update.html

        [2] Chrome for Android Update
            http://googlechromereleases.blogspot.com.au/2014/07/chrome-for-android-update.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8h5YBLndAQH1ShLAQJvPA/8CsHMqQZiI2CJDfV4RMQpKxgo2lNzJwfM
NfYjltvW6lB7vFUX8saIYkBZ9vZCReWeKdQVphqDgdWsWwrc0Vl1C+pKIf+UFA/m
QMWyt3kWf9V4PtZ59FKdb2pG85fHVceeLYWvMNSOX0IuzL2lEG2ZO3KJAPUiazCs
xnz/Lg9DRAP5mKhwWOd6m/DAUrDWnYKAfla7yZt3LoQSjhD/vAIYphLgTywlAjWt
yLbaX0PxQy6qb16T+SBjqPrNHUb1AWJ4o6yI+PdTMoM64X+SV37/CgIUy3iTF06E
nUl8UmXjuF3T6ztj1hiMyGJYevQnMH8N1gzBHQTcFD8RmBq56bqQVZq5Icb420Aj
rlkW9iSLpU8nrEn4FCq4TlYZySFV7623iVIUKzgr290e7UPiMSHGj60ezDimO/yl
1/5ZfDJZQmWZisdzEwkkdmeTaXac5vVHNmpbS4By2JN8IwzvB6i2wljnAI1zEJ8X
tRJbUgdo6AZdY7P3Uh8GiCHEA6cB8vHUJn11R0OfZ28Muj+sWoZ8sW2H1J4RiGgZ
786jce4K5pNgxFXxTmz0uONtOJsfh5e2u7EHnf3t8xEPYgadfON8jLKuGxkq2iWK
UT25n7+k7sS8xvrA6RaGeHt886nNWqf3ymi6ZOrb1qVvlYkMS8+sYX8fXG74UrkE
zahY67w+0bc=
=Mj7Q
-----END PGP SIGNATURE-----