-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0061
      Multiple vulnerabilities have been identified in Google Chrome
                               20 April 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Chrome
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-5069 CVE-2017-5067 CVE-2017-5066
                      CVE-2017-5065 CVE-2017-5064 CVE-2017-5063
                      CVE-2017-5062 CVE-2017-5061 CVE-2017-5060
                      CVE-2017-5059 CVE-2017-5058 CVE-2017-5057
Member content until: Saturday, May 20 2017

OVERVIEW

        Multiple vulnerabilities have been identified in Google Chrome prior
        to version 58.0.3029.81. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "[$3000][695826] High CVE-2017-5057: Type confusion in PDFium. 
        Credit to Guang Gong of Alpha Team, Qihoo 360
        
        [$2000][694382] High CVE-2017-5058: Heap use after free in Print 
        Preview. Credit to Khalil Zhani
        
        [$N/A][684684] High CVE-2017-5059: Type confusion in Blink. Credit 
        to SkyLined working with Trend Micro's Zero Day Initiative
        
        [$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. 
        Credit to Xudong Zheng
        
        [$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. 
        Credit to Haosheng Wang (@gnehsoah)
        
        [$1500][702896] Medium CVE-2017-5062: Use after free in Chrome Apps.
        Credit to anonymous
        
        [$1000][700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit
        to Sweetchip
        
        [$1000][693974] Medium CVE-2017-5064: Use after free in Blink. 
        Credit to Wadih Matar
        
        [$500][704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit 
        to Khalil Zhani
        
        [$500][690821] Medium CVE-2017-5066: Incorrect signature handing in
        Networking. Credit to chenchu
        
        [$500][648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit
        to Khalil Zhani
        
        [$N/A][691726] Low CVE-2017-5069: Cross-origin bypass in Blink. 
        Credit to Michael Reizelman" [1]


MITIGATION

        The vendor advises users to upgrade to the latest version to fix 
        these issues. [1]


REFERENCES

        [1] Stable Channel Update for Desktop
            https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWPhTv4x+lLeg9Ub1AQisvA/+PwLAb0ueLrNhN5pK7x+sEJmATmP6mgDt
htYEk+jgNwUaryM/Yq6qdfJZWSgrK+7y3ONJXc+o1ATyx3kU0/m6BUeP795moKbF
iaMMekEksEfUX1Yl+QpGDqcsavapavti9oMhzh8IABOjzgg812eujs8JF9i3DVWG
VUZpAC/SOyKacQMjIuIh6qqp0J+BFSeJOnHHrdAor9LLf+UMj4BHbo/d7R02d28w
28o32rCjg8HngG32A0O6ZRyFPmOB5zbsf5qsjE3F7ienQ7pO34D2XNXyRlrOZ7ZN
MyATl1glosHQor8ejgTc8mZkM40kYG8hGCAc6fBvhP3NLURhMMji9v6okfaBmzp2
JUcztwhV+10Xx7I+TMe2H09EAOtXpSQp53qhB/rATBBqbnEIXVSEVqm20HzevU8b
getNLmHz9z4BC2LBVMNqKZML5vtsbCWIh6U/FbBGJATIBevZyK4mLz3ToNs3hJzA
rzMw7x+DCvneweWeFtY87vnPus6v92ZzXm86L21Nxcu4T6W5IPrcVOtFgtOzVfS1
SlnrVslG9tjESRJ0qh0uVt8SSHZRgy1hdKtxujL5457DLLCls7ns2CLOo979a+CZ
bKPT6vHUxCybrkQltu8fHJIPW9fIzhbqLAdV6Ry8hB+Uynh7l8KracD84YQI609i
MLzsks+9Wz8=
=Wn6j
-----END PGP SIGNATURE-----