Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0044 Stable Channel Update for Desktop 31 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5782 CVE-2019-5781 CVE-2019-5780 CVE-2019-5779 CVE-2019-5778 CVE-2019-5777 CVE-2019-5776 CVE-2019-5775 CVE-2019-5774 CVE-2019-5773 CVE-2019-5772 CVE-2019-5771 CVE-2019-5770 CVE-2019-5769 CVE-2019-5768 CVE-2019-5767 CVE-2019-5766 CVE-2019-5765 CVE-2019-5764 CVE-2019-5763 CVE-2019-5762 CVE-2019-5761 CVE-2019-5760 CVE-2019-5759 CVE-2019-5758 CVE-2019-5757 CVE-2019-5756 CVE-2019-5755 CVE-2019-5754 Member content until: Saturday, March 2 2019 OVERVIEW Mutliple vulnerabilities have been addressed in Google Chrome for Windows, Mac and Linux version 72.0.3626.81. [1] IMPACT Google has provided the following summary: "[$7500][914497] Critical CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 [$N/A][906043] High CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 [$5000][913296] High CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 [$5000][895152] High CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 [$3000][915469] High CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 [$3000][913970] High CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 [$3000][912211] High CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 [$3000][912074] High CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 [$3000][904714] High CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin,Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 [$3000][900552] High CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 [$1000][914731] High CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 [$1000][913246] High CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 [$N/A][922677] High: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-16 [$TBD][922627] High CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 [$N/A][916080] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-18 [$N/A][912947] High: Use after free in Payments. Reported by Mark Brand of Google Project Zero on 2018-12-07 [$N/A][912520] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-06 [$N/A][899689] High: Stack buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-10-29 [$4000][907047] Medium CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 [$2000][902427] Medium CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 [$2000][805557] Medium CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 [$1000][913975] Medium CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 [$1000][908749] Medium CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 [$1000][904265] Medium CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin,Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12 [$500][908292] Medium CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26 [$N/A][917668] Medium CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24 [$N/A][904182] Medium CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11 [$N/A][896722] Medium CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 [$N/A][863663] Medium CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14 [$N/A][849421] Medium CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04 [$500][918470] Low CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02 [$500][904219] Low CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11 [$500][891697] Low CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03 [$N/A][896725] Low CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili" [1] MITIGATION The vendor advises updating to Chrome 72.0.3626.81 to address these issues. [1] REFERENCES [1] Stable Channel Update for Desktop https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXFJp/maOgq3Tt24GAQhGXxAAo+OdFw1du9euQHkruINJ0fKsnL1G9pd0 jCTfAs95HxLV4cknEPXdHkFN0wcf3Cuh/ESxK3SIOuhF3+g5V57+iydyn30LZF9P N82jSC55eauJEj8VaeAz0oktwPT95WylGj8sEDjKb1A4ypCTb6HmsgFUosOq3Hne gZhmJOgqL28rNy9yV4Fnf4mn5irILENOTYOf5RvwsZJi6bJQ27rcNJEdFDxnvCfi XI/65dZAutrTv24bpNJts5PBZaRiRO0kwWv727cOP0y0K4rm914I7BqgPuFvAQ45 0MtCJFSUVUL3EplzgBGX66/lkhb2gGQSqgQTs2OTdjNdYfFgXKO014BowbOf9TXw D+xQNtHose5pD9ptWnu0W3WdDR6Z0oJT3lLCOVT3KY+beOfgmXH5m3cdZROYpIIw oRTrhGsrh6K+QGYsguZxbHhyT2VDkoBfVrpNjYbAiFqP9bY973TXDkAWBuXu0ZxR uQz3Z3FKc3EERpAHnqq363xzkKedutDjJeZ+aG2+vwpqywTLs4zOyXkqIeBXcXUL DejfZPyvq4eRGPosFpc169AiYfNCpTKEtr5Ks/+xN3/qQsoKodIO8F9Sp6HHwgqg s1Fq4GiUYzvhyjmiez8Eg0fiFy9S3r/B9UlXFujW7Rt34YJbViwFODrbuN1DEUbb ORxnTmTjZ/Q= =9xvv -----END PGP SIGNATURE-----