Description
Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to bypass security restrictions cause denial of service or obtain sensitive information.
Below is a complete list of vulnerabilities
- Improper DOM tree workaround at Blink can be exploited via a specially designed JavaScript code to bypass same origin policy;
- Use-after-free vulnerabilities at PDFium can be exploited via annotation manipulations to cause denial of service ;
- Use-after-free vulnerabilities at ServiceWorker can be exploited via callback manipulations to cause denial of service;
- Improper dictionary objects cast at PDFium can be exploited via a specially designed PDF document to cause denial of service;
- Lack of LocalStorage restrictions at Blink can be exlpoited remotely via a specially designed URL to obtain sensitive information;
- Improper mapping error handling at libANGLE can be exploited remotely via device manipulations to cause denial of service;
- Memory corruption at FFMpeg can be exploited remotely to cause denial of service via a specially designed WebM File;
- Lack of CORS restrictions at Blink can be exploited remotely via a specially designed redirect to bypass security restrictions;
- Multiple vulnerabilities at Google V8 and other Google Chrome components can be exploited to cause denial of service or conduct other impact.
Technical details
Vulnerability (1) related to ContainerNode::parserInsertBefore function in core/dom/ContainerNode.cpp and can be triggered by DOM tree insertion in certain cases where a parent node no longer contains a child node.
(2) can be triggered via mishandling of focused annotation in a PDF document. This vulnerability caused by error in CPDFSDK_PageView implementation in fpdfsdk/src/fsdk_mgr.cpp
Vulnerability (3) caused by use-after-free in content/browser/service_worker/embedded_worker_instance.cc
Vulnerability (4) caused by CPDF_Document::GetPage function in fpdfapi/fpdf_parser/fpdf_parser_document.cpp
(5) can be triggered via vectors related to blob: URL. This vulnerability caused by shouldTreatAsUniqueOrigin function in platform/weborigin/SecurityOrigin.cpp
Vulnerability (6) caused by Image11::map function in renderer/d3d/d3d11/Image11.cpp mishandling of mapping failures after device-lost event. This vulnerability can be triggered via vectors involved removed device.
update_dimensions function in libavcodec/vp8.c relies on a coefficient-partition count during multi-threaded operation which causes (7).
(8) can be triggered via a redirect. This vulnerability caused by lack of CORS restriction when font’s URL appears to be same-origin. Vulnerable code placed at CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValue.cpp
Original advisories
Exploitation
Public exploits exist for this vulnerability.
Related products
CVE list
- CVE-2015-6763 critical
- CVE-2015-7834 critical
- CVE-2015-6757 critical
- CVE-2015-6758 high
- CVE-2015-6755 critical
- CVE-2015-6756 high
- CVE-2015-6761 high
- CVE-2015-6762 critical
- CVE-2015-6759 critical
- CVE-2015-6760 critical
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com