Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0308 Chrome 78.0.3904.70 security and feature update 24 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Chrome Operating System: Windows Mac OS Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-15903 CVE-2019-13719 CVE-2019-13718 CVE-2019-13717 CVE-2019-13716 CVE-2019-13715 CVE-2019-13714 CVE-2019-13713 CVE-2019-13711 CVE-2019-13710 CVE-2019-13709 CVE-2019-13708 CVE-2019-13707 CVE-2019-13706 CVE-2019-13705 CVE-2019-13704 CVE-2019-13703 CVE-2019-13702 CVE-2019-13701 CVE-2019-13700 CVE-2019-13699 Member content until: Saturday, November 23 2019 OVERVIEW Google has released Chrome 78 for Windows, Mac and Linux, featuring 37 security fixes. [1] IMPACT Google has provided the following information: "[$20000][1001503] High CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-09-06 [$15000][998431] High CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-28 [$1000][998284] High CVE-2019-13701: URL spoof in navigation. Reported by David Erceg on 2019-08-27 [$5000][991125] Medium CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip Langlois (phillip.langlois@nccgroup.com) and Edward Torkington (edward.torkington@nccgroup.com), NCC Group on 2019-08-06 [$3000][992838] Medium CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani on 2019-08-12 [$3000][1001283] Medium CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-05 [$2000][989078] Medium CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera (@lbherrera_) on 2019-07-30 [$2000][1001159] Medium CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk on 2019-09-05 [$1000][859349] Medium CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo on 2018-07-01 [$1000][931894] Medium CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani on 2019-02-13 [$1000][1005218] Medium CVE-2019-13709: File download protection bypass. Reported by Zhong Zhaochen of andsecurity.cn on 2019-09-18 [$500][756825] Medium CVE-2019-13710: File download protection bypass. Reported by bernardo.mrod on 2017-08-18 [$500][986063] Medium CVE-2019-13711: Cross-context information leak. Reported by David Erceg on 2019-07-20 [$500][1004341] Medium CVE-2019-15903: Buffer overflow in expat. Reported by Sebastian Pipping on 2019-09-16 [$N/A][993288] Medium CVE-2019-13713: Cross-origin data leak. Reported by David Erceg on 2019-08-13 [$2000][982812] Low CVE-2019-13714: CSS injection. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-07-10 [$500][760855] Low CVE-2019-13715: Address bar spoofing. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-31 [$500][1005948] Low CVE-2019-13716: Service worker state error. Reported by Barron Hagerman on 2019-09-19 [$N/A][839239] Low CVE-2019-13717: Notification obscured. Reported by xisigr of Tencent's Xuanwu Lab on 2018-05-03 [$N/A][866162] Low CVE-2019-13718: IDN spoof. Reported by Khalil Zhani on 2018-07-20 [$N/A][927150] Low CVE-2019-13719: Notification obscured. Reported by Khalil Zhani on 2019-01-31" [1] MITIGATION Google advises updating to Chrome 78.0.3904.70 or later to address these vulnerabilities. [1] REFERENCES [1] 78.0.3904.70 Stable Channel Update for Desktop https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbEpOWaOgq3Tt24GAQgXJhAAzyDBy7j6cFpAQqqW4onD9axsuWXSqOC8 FV1qmZziClUMboshSJ9ksuLiXhva8L0dyCeM1PpjkN2Q52YQPqhx3F6B9415evwH nxc4j6sa5n/PPpqCTWlyMk+6grsYfaqk6FDgomCJy6rJe+vsIQu0NYtIrHh+P9ZT QUabvia8QMfohjXWPM/ttTHZ2WW2a6yoQz6WoCS0pvXLLeBCurlDaZrTRVU4VQ8w uZxrwZSepsRsR3cSwGazU8hVmPkVvZAflLdey5ojoZ33Q9gMlwR5lpCLfUUrZb+1 i7pgh17muH/S2AGrqLbPw3Pj8baEqI39Fx/5dtL64gESvYRgf/ldglTUWcoKnxlH 2N+TyWJazfXPxg7/u1UK8elFQfmadZip37OEfWt1w6FLrUsq/MMS6/MX01dvqVn6 r9FFWxCZtd4bI69e35+p0j6lBwFLY5r/vgcnvhKp3Gj7SOVAKq13lQzl1BBgclPR szS5dez0cxL6AcTyWSgQyYGBh+lvcYeQN/Cz5fcNzHG5PuRl1zqBVahxwymestH7 UjBDQkGURZdQN6Se2hg0SXZ3QlZU1/rasEySkT3VGoPgzvAVatMW5bEyTG2rNbHg +1uxMmHQpplulO+gz2iXfHpDbhor48EYPBBCQbjCrtDTnND89U/uxvk6VFkNfHKd p2hb8/Ejg8o= =+kBp -----END PGP SIGNATURE-----