Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0079
Google Chrome 73.0.3683.75 released
15 March 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Operating System: Windows
Linux variants
Mac OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5804 CVE-2019-5803 CVE-2019-5802
CVE-2019-5801 CVE-2019-5800 CVE-2019-5799
CVE-2019-5798 CVE-2019-5797 CVE-2019-5796
CVE-2019-5795 CVE-2019-5794 CVE-2019-5793
CVE-2019-5792 CVE-2019-5791 CVE-2019-5790
CVE-2019-5789 CVE-2019-5788 CVE-2019-5787
Member content until: Sunday, April 14 2019
OVERVIEW
Multiple security vulnerabilities have been addressed in
Google Chrome 73.0.3683.75. [1]
IMPACT
The vendor has provided the following information:
"This update includes 60 security fixes. Below, we highlight fixes that were
contributed by external researchers. Please see the Chrome Security Page for
more information.
[$TBD][913964] High CVE-2019-5787: Use after free in Canvas. Reported by Zhe
Jin, Luyao Liu from Chengdu Security Response Center of Qihoo
360 Technology Co. Ltd on 2018-12-11
[$N/A][925864] High CVE-2019-5788: Use after free in FileAPI. Reported by Mark
Brand of Google Project Zero on 2019-01-28
[$N/A][921581] High CVE-2019-5789: Use after free in WebMIDI. Reported by Mark
Brand of Google Project Zero on 2019-01-14
[$7500][914736] High CVE-2019-5790: Heap buffer overflow in V8. Reported by
Dimitri Fourny (Blue Frost Security) on 2018-12-13
[$1000][926651] High CVE-2019-5791: Type confusion in V8. Reported by Choongwoo
Han of Naver Corporation on 2019-01-30
[$500][914983] High CVE-2019-5792: Integer overflow in PDFium. Reported by
pdknsk on 2018-12-13
[$TBD][937487] Medium CVE-2019-5793: Excessive permissions for private API in
Extensions. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research
on 2019-03-01
[$TBD][935175] Medium CVE-2019-5794: Security UI spoofing. Reported by Juno Im
of Theori on 2019-02-24
[$N/A][919643] Medium CVE-2019-5795: Integer overflow in PDFium. Reported by
pdknsk on 2019-01-07
[$N/A][918861] Medium CVE-2019-5796: Race condition in Extensions. Reported by
Mark Brand of Google Project Zero on 2019-01-03
[$N/A][916523] Medium CVE-2019-5797: Race condition in DOMStorage. Reported by
Mark Brand of Google Project Zero on 2018-12-19
[$N/A][883596] Medium CVE-2019-5798: Out of bounds read in Skia. Reported by
Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13
[$1000][905301] Medium CVE-2019-5799: CSP bypass with blob URL. Reported by
sohalt on 2018-11-14
[$1000][894228] Medium CVE-2019-5800: CSP bypass with blob URL. Reported by Jun
Kokatsu (@shhnjk) on 2018-10-10
[$500][921390] Medium CVE-2019-5801: Incorrect Omnibox display on iOS. Reported
by Khalil Zhani on 2019-01-13
[$500][632514] Medium CVE-2019-5802: Security UI spoofing. Reported by Ronni
Skansing on 2016-07-28
[$1000][909865] Low CVE-2019-5803: CSP bypass with Javascript URLs'. Reported
by Andrew Comminos of Facebook on 2018-11-28
[$500][933004] Low CVE-2019-5804: Command line command injection on Windows.
Reported by Joshua Graham of TSS on 2019-02-17" [1]
MITIGATION
Google advises updating to Google Chrome 73.0.3683.75 or later
to address these vulnerabilities. [1]
REFERENCES
[1] Stable Channel Update for Desktop 73.0.3683.75
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXIq3rmaOgq3Tt24GAQh52w/7BCLmvcx1PzbvXCCOmNOou7OVohwZiA3X
GeMJN2Gu4p3yBkakY5qtoddb1jOOuYtfnfQ+/4Se9cmaMIYR1W3AIqMzzGi3Q0tl
Y19Agjja1OTrWib8Dru5JSGdmsZ6hjC28FUPruOTgYVxkhmJzr8rKazOBRBL0UFY
P2etqm2c93rm4g3MM4Iz9Bv8CFm0o9H6Rwd2CeN+pvyRTXAPTJP7bBaqnM2gNYbH
e4bwrQkA3az6yP94uo4L95f67rV1anWwHIR7nsQhFnUukGjRRxrZ7ejm4i1UmkmG
XELWhjz9znKrukXuv1Ghq7US8wxwjIkBPSEaKTYzrk1QQAqUlniU2E9r4e2Vi4eu
9D/wF/MWAJYlbjf92Nvk5BvVCZYAiBT5C5Gfsm5jbWUqCiEPIC5B5THL9ET0xX7E
l5FVbyE34WF3aAxGXKPa7OAYsPtQm4LXz/cHrVpMTOuPWSgRzgeSD3ZxhuEv20bG
RiPi9InKzQmT5YGgGxmwLFrZB51wlaDfCKIFI6tZvRDqC2Tt7xuXoBwyCVh2SkXp
8fbUSvKwiFA4QZ5F9gc8tT7nfzgR8pLZLXkIOrTCkjZK6qW6Y6BvoKcfzP3s/iHT
ZxLciln13OlQNo5hJ9uSOu17LE5RtM+GXXqzFc8MbFghq2b64f3ukhFwlCYejyH7
Gh3lP8H8lAc=
=Q/uI
-----END PGP SIGNATURE-----