Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0225 Google Chrome: Stable Channel Update for Desktop 31 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5865 CVE-2019-5864 CVE-2019-5863 CVE-2019-5862 CVE-2019-5861 CVE-2019-5860 CVE-2019-5859 CVE-2019-5858 CVE-2019-5857 CVE-2019-5856 CVE-2019-5855 CVE-2019-5854 CVE-2019-5853 CVE-2019-5852 CVE-2019-5851 CVE-2019-5850 Member content until: Friday, August 30 2019 OVERVIEW Multiple security vulnerabilities have been addressed in Google Chrome version 76.0.3809.87 [1] IMPACT The vendor has provided the following information: "This update includes 43 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [$10000][977462] High CVE-2019-5850: Use-after-free in offline page fetcher. Reported by Brendon Tiszka on 2019-06-21 [$6000][956947] High CVE-2019-5860: Use-after-free in PDFium. Reported by Anonymous on 2019-04-26 [$3000][976627] High CVE-2019-5853: Memory corruption in regexp length check. Reported by yngwei(@yngweijw) of IIE Varas and sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19 [$3000][977107] High CVE-2019-5851: Use-after-poison in offline audio context. Reported by Zhe Jin,Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-06-20 [$TBD][959438] High CVE-2019-5859: res: URIs can load alternative browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03 [$5000][964245] Medium CVE-2019-5856: Insufficient checks on filesystem: URI permissions. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2019-05-17 [$N/A][943494] Medium CVE-2019-5863: Use-after-free in WebUSB on Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Security Platform Department on 2019-03-19 [$N/A][964872] Medium CVE-2019-5855: Integer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-20 [$TBD][973103] Medium CVE-2019-5865: Site isolation bypass from compromised renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11 [$500][960209] Low CVE-2019-5858: Insufficient filtering of Open URL service parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07 [$500][936900] Low CVE-2019-5864: Insufficient port filtering in CORS for extensions. Reported by Devin Grindle on 2019-02-28 [$TBD][946260] Low CVE-2019-5862: AppCache not robust to compromised renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-26 [$TBD][951525] Low CVE-2019-5861: Click location incorrectly checked. Reported by Robin Linus ( robinlinus.com ) on 2019-04-10 [$N/A][961237] Low CVE-2019-5857: Comparison of -0 and null yields crash. Reported by cloudfuzzer on 2019-05-09 [$N/A][966263] Low CVE-2019-5854: Integer overflow in PDFium text rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23 [$TBD][976713] Low CVE-2019-5852: Object leak of utility functions. Reported by David Erceg on 2019-06-19 " [1] MITIGATION It is recommended that users update to version 76.0.3809.87 as soon as possible. REFERENCES [1] Chrome Releases: Stable Channel Update for Desktop https://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop_30.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXUE+omaOgq3Tt24GAQgD2BAAlyLSU/pmDCHOGGrkjemjzguBwxOSqswo i6wp//sOerNBFBFyZbRC6rwWn1GrZ8bc1lMl6fduuXmSoeOljtEdntFdiqOAXXFn ybewvmKe5RTHgPfMXGHAIf1hCU14/ymDMonHsuJtGuA2q0fee1qScf+WhZzFEvn4 YkuytDfgvXIp9jY4Et/mhpMCs58E/BfInHLaI3SN8Rt+IYbZPNnvizNtrNRiC7db YTMMPMATtKK33DUrcLwhWRs0+aNq8LQhFIduC77+/do/wPVzRhcePfOQmiT3jIdQ rREN15NELkAqhWWUnhSUwmUIvkJL7QnblmzBYAdlbuT/i0vWkuh7T1Vyfy3IJEXZ 8eNlT3sdWtH0IfRWSMJJwgUyKXYLI11rTdfM3i1nbUmp8iCf+mPA65ZsrzO8CMuq 6S4uWSPimdxb0z/YPuUr2jzBHtpbJKVrfwoEnpAIGdDRwR2YQyRROi5dNn3Mpgy5 f6uvNzsncg5AxdoKRJK3oy/22PNU9ADo1tpX5svC/FNeXeClVp+78b42UAXBGaEE nrQJZMrWKBRW/Qb09Jppr0IaEiSgQtYufmynP/v2Jv3ciH2BhyKWzsXAhdNBL+du EuP6KXl9O7OokU4Kajg7e7fBIxOwwRqTBVEOelROToj+QDbulPPcZihAYuqxWLm3 4ImupB6TjbI= =XWmh -----END PGP SIGNATURE-----