Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0079 Google Chrome 73.0.3683.75 released 15 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows Linux variants Mac OS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5804 CVE-2019-5803 CVE-2019-5802 CVE-2019-5801 CVE-2019-5800 CVE-2019-5799 CVE-2019-5798 CVE-2019-5797 CVE-2019-5796 CVE-2019-5795 CVE-2019-5794 CVE-2019-5793 CVE-2019-5792 CVE-2019-5791 CVE-2019-5790 CVE-2019-5789 CVE-2019-5788 CVE-2019-5787 Member content until: Sunday, April 14 2019 OVERVIEW Multiple security vulnerabilities have been addressed in Google Chrome 73.0.3683.75. [1] IMPACT The vendor has provided the following information: "This update includes 60 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [$TBD][913964] High CVE-2019-5787: Use after free in Canvas. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 [$N/A][925864] High CVE-2019-5788: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-28 [$N/A][921581] High CVE-2019-5789: Use after free in WebMIDI. Reported by Mark Brand of Google Project Zero on 2019-01-14 [$7500][914736] High CVE-2019-5790: Heap buffer overflow in V8. Reported by Dimitri Fourny (Blue Frost Security) on 2018-12-13 [$1000][926651] High CVE-2019-5791: Type confusion in V8. Reported by Choongwoo Han of Naver Corporation on 2019-01-30 [$500][914983] High CVE-2019-5792: Integer overflow in PDFium. Reported by pdknsk on 2018-12-13 [$TBD][937487] Medium CVE-2019-5793: Excessive permissions for private API in Extensions. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-01 [$TBD][935175] Medium CVE-2019-5794: Security UI spoofing. Reported by Juno Im of Theori on 2019-02-24 [$N/A][919643] Medium CVE-2019-5795: Integer overflow in PDFium. Reported by pdknsk on 2019-01-07 [$N/A][918861] Medium CVE-2019-5796: Race condition in Extensions. Reported by Mark Brand of Google Project Zero on 2019-01-03 [$N/A][916523] Medium CVE-2019-5797: Race condition in DOMStorage. Reported by Mark Brand of Google Project Zero on 2018-12-19 [$N/A][883596] Medium CVE-2019-5798: Out of bounds read in Skia. Reported by Tran Tien Hung (@hungtt28) of Viettel Cyber Security on 2018-09-13 [$1000][905301] Medium CVE-2019-5799: CSP bypass with blob URL. Reported by sohalt on 2018-11-14 [$1000][894228] Medium CVE-2019-5800: CSP bypass with blob URL. Reported by Jun Kokatsu (@shhnjk) on 2018-10-10 [$500][921390] Medium CVE-2019-5801: Incorrect Omnibox display on iOS. Reported by Khalil Zhani on 2019-01-13 [$500][632514] Medium CVE-2019-5802: Security UI spoofing. Reported by Ronni Skansing on 2016-07-28 [$1000][909865] Low CVE-2019-5803: CSP bypass with Javascript URLs'. Reported by Andrew Comminos of Facebook on 2018-11-28 [$500][933004] Low CVE-2019-5804: Command line command injection on Windows. Reported by Joshua Graham of TSS on 2019-02-17" [1] MITIGATION Google advises updating to Google Chrome 73.0.3683.75 or later to address these vulnerabilities. [1] REFERENCES [1] Stable Channel Update for Desktop 73.0.3683.75 https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIq3rmaOgq3Tt24GAQh52w/7BCLmvcx1PzbvXCCOmNOou7OVohwZiA3X GeMJN2Gu4p3yBkakY5qtoddb1jOOuYtfnfQ+/4Se9cmaMIYR1W3AIqMzzGi3Q0tl Y19Agjja1OTrWib8Dru5JSGdmsZ6hjC28FUPruOTgYVxkhmJzr8rKazOBRBL0UFY P2etqm2c93rm4g3MM4Iz9Bv8CFm0o9H6Rwd2CeN+pvyRTXAPTJP7bBaqnM2gNYbH e4bwrQkA3az6yP94uo4L95f67rV1anWwHIR7nsQhFnUukGjRRxrZ7ejm4i1UmkmG XELWhjz9znKrukXuv1Ghq7US8wxwjIkBPSEaKTYzrk1QQAqUlniU2E9r4e2Vi4eu 9D/wF/MWAJYlbjf92Nvk5BvVCZYAiBT5C5Gfsm5jbWUqCiEPIC5B5THL9ET0xX7E l5FVbyE34WF3aAxGXKPa7OAYsPtQm4LXz/cHrVpMTOuPWSgRzgeSD3ZxhuEv20bG RiPi9InKzQmT5YGgGxmwLFrZB51wlaDfCKIFI6tZvRDqC2Tt7xuXoBwyCVh2SkXp 8fbUSvKwiFA4QZ5F9gc8tT7nfzgR8pLZLXkIOrTCkjZK6qW6Y6BvoKcfzP3s/iHT ZxLciln13OlQNo5hJ9uSOu17LE5RtM+GXXqzFc8MbFghq2b64f3ukhFwlCYejyH7 Gh3lP8H8lAc= =Q/uI -----END PGP SIGNATURE-----