Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0061 Multiple vulnerabilities have been identified in Google Chrome 20 April 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5069 CVE-2017-5067 CVE-2017-5066 CVE-2017-5065 CVE-2017-5064 CVE-2017-5063 CVE-2017-5062 CVE-2017-5061 CVE-2017-5060 CVE-2017-5059 CVE-2017-5058 CVE-2017-5057 Member content until: Saturday, May 20 2017 OVERVIEW Multiple vulnerabilities have been identified in Google Chrome prior to version 58.0.3029.81. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "[$3000][695826] High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360 [$2000][694382] High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani [$N/A][684684] High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative [$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng [$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah) [$1500][702896] Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous [$1000][700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip [$1000][693974] Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar [$500][704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani [$500][690821] Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to chenchu [$500][648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani [$N/A][691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman" [1] MITIGATION The vendor advises users to upgrade to the latest version to fix these issues. [1] REFERENCES [1] Stable Channel Update for Desktop https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWPhTv4x+lLeg9Ub1AQisvA/+PwLAb0ueLrNhN5pK7x+sEJmATmP6mgDt htYEk+jgNwUaryM/Yq6qdfJZWSgrK+7y3ONJXc+o1ATyx3kU0/m6BUeP795moKbF iaMMekEksEfUX1Yl+QpGDqcsavapavti9oMhzh8IABOjzgg812eujs8JF9i3DVWG VUZpAC/SOyKacQMjIuIh6qqp0J+BFSeJOnHHrdAor9LLf+UMj4BHbo/d7R02d28w 28o32rCjg8HngG32A0O6ZRyFPmOB5zbsf5qsjE3F7ienQ7pO34D2XNXyRlrOZ7ZN MyATl1glosHQor8ejgTc8mZkM40kYG8hGCAc6fBvhP3NLURhMMji9v6okfaBmzp2 JUcztwhV+10Xx7I+TMe2H09EAOtXpSQp53qhB/rATBBqbnEIXVSEVqm20HzevU8b getNLmHz9z4BC2LBVMNqKZML5vtsbCWIh6U/FbBGJATIBevZyK4mLz3ToNs3hJzA rzMw7x+DCvneweWeFtY87vnPus6v92ZzXm86L21Nxcu4T6W5IPrcVOtFgtOzVfS1 SlnrVslG9tjESRJ0qh0uVt8SSHZRgy1hdKtxujL5457DLLCls7ns2CLOo979a+CZ bKPT6vHUxCybrkQltu8fHJIPW9fIzhbqLAdV6Ry8hB+Uynh7l8KracD84YQI609i MLzsks+9Wz8= =Wn6j -----END PGP SIGNATURE-----