KLA10865
Multiple vulnerabilities in Google Chrome
Updated: 06/01/2019
Detect date
?
08/31/2016
Severity
?
Critical
Description

Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to bypass security restrictions or inject arbitrary code.

Below is a complete list of vulnerabilities

  1. An improper values validation at Skia can be exploited remotely via a specially designed graphics data to cause denial of service or possibly have another unknown impact;
  2. Lack of download URL restrictions can be exploited remotely via a specially designed web content to obtain sensitive information;
  3. XSS vulnerabilities at DevTools and Blink can be exploited remotely via a specially designed content to inject arbitrary script;
  4. Lack of URL rendering restrictions can be exploited remotely via a specially designed URL to spoof user interface;
  5. An improper extensions manifest usage can be exploited remotely via clickjacking to spoof user interface;
  6. An improper custom properties handling can be exploited remotely via a specially designed content to cause denial of service or possibly have another unknown impact;
  7. Multiple integer overflows at PDFium can be exploited remotely via a specially designed JPEG 2000 data to cause denial of service or possibly have another unknown impact;
  8. Heap buffer overflow vulnerability at PDFium can be exploited remotely via a specially designed JPEG 2000 data to execute arbitrary code;
  9. An improper filtered events processing can be exploited remotely to cause denial of service or conduct another unknown impact;
  10. Lack of initial document access restrictions can be exploited remotely via a specially designed web site to spoof user interface;
  11. Multiple heap buffer overflows in PDFium can be exploited remotely via a specially designed JBig2 image to cause denial of service or possibly conduct another unknown impact;
  12. An improper list iteration at Blink can be exploited remotely via a specially designed web site to cause denial of service or conduct another unknown impact;
  13. An integer overflow vulnerability at OpenJPEG can be exploited remotely via a specially designed JPEG2000 data to cause denial of service or conduct another unknown impact;
  14. An improper timers handling at PDFium can be exploited remotely via a specially designed PDF document to cause denial of service or conduct another unknown impact;
  15. Lack of key-path evaluation restrictions at Blink can be exploited remotely via a specially designed JavaScript to cause denial of service or conduct another unknown impact;
  16. An improper IFRAME URL handling can be exploited remotely via a specially designed web resource to manipulate user extensions;
  17. XSS vulnerability at Blink can be exploited remotely via vectors related to widgets updates to inject arbitrary code;
  18. An improper handling of deferred page loading at Blink can be exploited remotely via a specially designed content to injcet arbitrary code.

Technical details

Vulnerability (1) related to SkPath.cpp which does not properly validate the return values of ChopMonoAtY calls.

Vulnerability (2) caused by lack of restrictions on saving a file:// URL that is referenced by an http:// URL. This vulnerability can lead to discovering NetNTLM hashes and SMB relay attacks and can be exploited via a specially designed web page with “Save page as” menu.

Vulnerability (3) can be exploited via the settings parameter in a chrome-devtools-frontend.appspot.com URL’s query string.

Vulnerability (4) related to bidirectional-text implementation which does not ensure left-to-right (LTR) rendering of URLs. Thiw vulnerability can be exploited via crafted right-to-left (RTL) Unicode text, related to omnibox/SuggestionView.java and omnibox/UrlBar.java in Chrome for Android.

Vulnerability (5) related to AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc which does not properly use an extension’s manifest.json web_accessible_resources field for restrictions on IFRAME elements.

Vulnerability (6) related to EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp.

Vulnerability (7) related to opj_aligned_malloc calls in dwt.c and t1.c at OpenJPEG.

Vulnerability (8) related to opj_dwt_interleave_v function in dwt.c.

Vulnerability (9) related to extensions/renderer/event_bindings.cc in the event bindings which attempts to process filtered events after failure to add an event matcher.

Vulnerability (10) can be exploited to spoof address bar.

Vulnerability (12) related to Web Animations implementation.

Vulnerability (13) related to opj_tcd_get_decoded_tile_size function in tcd.c.

Vulnerability (14) related to fpdfsdk/javascript/JS_Object.cpp and fpdfsdk/javascript/app.cpp.

Vulnerability (15) related to WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp which has an Indexed Database (aka IndexedDB) API implementation that does not properly restrict key-path evaluation.

Vulnerability (16) related to extensions subsystem which relies on an IFRAME source URL to identify an associated extension. This vulnerability can be exploited by leveraging script access to a resource that initially has the about:blank URL.

Affected products

Google Chrome versions earlier than 53.0.2785.89

Solution

Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.
Get Google Chrome

Original advisories

Google Blog

Impacts
?
ACE 
[?]

CI 
[?]

SB 
[?]
Related products
Google Chrome
CVE-IDS
?