Operating System:

[WIN][LINUX][MAC]

Published:

02 June 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2016.0061 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0061
      Multiple vulnerabilities have been identified in Google Chrome
                                2 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     Windows
                      OS X
                      Linux variants
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-1703 CVE-2016-1702 CVE-2016-1701
                      CVE-2016-1700 CVE-2016-1699 CVE-2016-1698
                      CVE-2016-1697 CVE-2016-1696 
Member content until: Saturday, July  2 2016

OVERVIEW

        Multiple vulnerabilities have been identified in Google Chrome prior
        to version 51.0.2704.79. [1]


IMPACT

        The vendor has provided the following information about the 
        vulnerabilities:
        
        "This update includes 15 security fixes. Below, we highlight fixes
        that were contributed by external researchers. Please see the 
        Chromium security page for more information.
        
        [$7500][601073] High CVE-2016-1696: Cross-origin bypass in Extension
        bindings. Credit to anonymous.
        
        [$7500][613266] High CVE-2016-1697: Cross-origin bypass in Blink. 
        Credit to Mariusz Mlynski.
        
        [$4000][603725] Medium CVE-2016-1698: Information leak in Extension
        bindings. Credit to Rob Wu.
        
        [$3500][607939] Medium CVE-2016-1699: Parameter sanitization failure
        in DevTools. Credit to Gregory Panakkal.
        
        [$1500][608104] Medium CVE-2016-1700: Use-after-free in Extensions.
        Credit to Rob Wu.
        
        [$1000][608101] Medium CVE-2016-1701: Use-after-free in Autofill. 
        Credit to Rob Wu.
        
        [$1000][609260] Medium CVE-2016-1702: Out-of-bounds read in Skia. 
        Credit to cloudfuzzer.
        
        We would also like to thank all security researchers that worked 
        with us during the development cycle to prevent security bugs from 
        ever reaching the stable channel.
        
        As usual, our ongoing internal security work was responsible for a 
        wide range of fixes:
        
        [616539] CVE-2016-1703: Various fixes from internal audits, fuzzing
        and other initiatives." [1]


MITIGATION

        The vendor recommends updating to the latest version to correct 
        these issues. [1]


REFERENCES

        [1] Stable Channel Update
            googlechromereleases.blogspot.com.au/2016/06/stable-channel-update.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV0/Dvox+lLeg9Ub1AQjJuA/8CkwUd5Q0bKvbIfaj+0yegKeXLguzGPil
NY8aKAYkV/RpMMLmG9OxuWLPSnWogKSl4KdgyPosgz/hNBFjXFikLgqHWLUFOaH6
ge7awPctZ0yjpJPdTNPCQkt6eXUwpc2z4PCWpIZs3rWrQaZw9CJta0RUz34jaeTm
uivsb7bkX59R53w3Ac1nl+xssehybPO7XFKQEHfH143zS/V+WHczxwHtxaKi/bgQ
wWnZ4cbNY20kjtC0ktI6tRH9lhaLV19/4l5YjkCGqNJI6kzIvwmGryM7Wc1Wd5go
tpC5r9GUkjX4E7aJdOggYkrsN6mNxxkC403cAwRTl+U70DFbVru6WSBR8KWHh10s
BKlV9opoK4WcQVkxw8wX6ZlURnYbwrpcTDTp4e5IlSlaqBuOGRQL0kiryV84tp2l
Cth2LIror2ihXSntLZZxkiczffoiK60HbbP366NuuMN2DX0xoNXoEofNUQQ8vjI4
rdaOHyicPGwpFt5JE1KrqeLhkz26j5OMoG1zNEt6QxV2d91cS1rcEFsjtifxk93B
B6oy9xdYg9Ak1mxuymwCPtt1gz0YYtU6WOMxHp/GOc1hvhFPGPlMbQqEPFVg6cdo
Ueqv+m1Ge/IUBo6VHNuS6S+ANWNQdQs0i34En9N0HEGE6Hn6PwAUBmp0qkl6Q/vE
5pfRwWa4tlE=
=AMug
-----END PGP SIGNATURE-----