KLA10703
Multiple vulnerabilities in Google Chrome

Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, spoof user interface, bypass security restrictions or execute arbitrary code.

Below is a complete list of vulnerabilities

1. Improper array elements handling at Google V8 can be exploited remotely via a specially designed JavaScript code to cause denial of service;
2. Use-after-free vulnerabilities can be exploited remotely via a AppCache manipulations to cause denial of service;
3. An unknown vulnerability at DOM can be exploited remotely to bypass Same Origin Policy;
4. Improper proxy handling at WebKit can be exploited remotely via window proxy manipulations to bypass Same Origin Policy;
5. Lack of URL restrictions at Blink can be exploited remotely via a specially designed JavaScript to bypass Same Origin Policy;
6. Improper graphics handling in Skia can be exploited remotely via a specially designed graphics data to cause denial of service;
7. Use-after-free vulnerability at Extensions can be exploited remotely via a specially designed JavaScript to cause denial of service;
8. Improper signatures handling at PDFium can be exploited remotely via vectors related to type confusion to cause denial of service;
9. Improper JPEG at PDFium handling can be exploited remotely via a specially designed JPEG 2000 data to cause denial of service;
10. Use-after-free at DOM can be exploited remotely via DOM manipulations to cause denial of service;
11. An unknown vulnerability at PDFium can be exploited remotely via a specially design PDF document to cause denial of service;
12. Lack of chrome: URLs restrictions at PDFium can be exploited remotely via a specially designed PDF document to bypass security restrictions;
13. Use-after-free vulnerability at Infobars can be exploited remotely via a specially designed web site to cause denial of service;
14. Integer overflow at Google sfntly can be exploited remotely via a specially designed SFNT container to cause denial of service;
15. Improper modal-dialog handling at WebKit can be exploited remotely via a specially designed web site to spoof Omnibox content;
16. Improper ZIP implementation at Crazy Linker can be exploited remotely via a specially design ZIP archive too bypass signature validation restrictions; (Android)
17. Improper URLs handling at page serializer can be exploited remotely via a specially designed URL to inject arbitrary HTML;
18. Improper hostnames matching implementation at Content Security Policy can be exploited remotely via policy manipulations;
19. An unknown vulnerabilities can be exploited remotely to cause denial of service;
20. Use-after-free vulnerability can be exploited remotely via audio device manipulations to cause denial of service;
21. Improper memory handling can be exploited remotely via a VideoFrames manipulations to cause denial of service

Technical details

Vulnerability (1) related to BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier which improperly loads array elements. Also same vulnerability merged to (1) caused by js/array.js improperly implements map and filter arrays operations. Exploitation of (1) can lead to out-of-bounds memory access.

There are three vulnerabilities merged into (2) related to content/browser/appcache/appcache_update_job.cc, content/browser/appcache/appcache_dispatcher_host.cc and other unknown places in AppCache. This vulnerability can be exploited via leveraging mishandling of AppCache update jobs, incorrect jobs behavior associated with duplicate cache selection or incorrect pointer maintenance associated with certain callbacks.

Vulnerability (4) related to provisional-load commit implementation in WebKit/Source/bindings/core/v8/WindowProxy.cpp and can be triggered via leveraging delay in window proxy cleaning.

Vulnerability (5) caused by DOM implementation which doesn’t prevend javascript: URL navigation while docunment is detached. This vulnerability can be exploited via JS code improperly interacts with a plugin.

Vulnerability (6) caused by convolution implementation which improper constrains row lengths.

Vulnerability (7) related to GetLoadTimes function in renderer/loadtimes_extension_bindings.cc and can be triggered via JS code modifying pointer used fir reporting loadTimes data.

Vulnerability (8) related to fpdfsdk/src/jsapi/fxjs_v8.cpp which doesn’t use signatures.

Vulnerability (9) related to opj_dwt_decode_1* functions in dwt.c in OpenJPEG and can be triggered via data that’s mishandling during discrete wavelet transform.

Vulnerability (10) related to ContainerNode::notifyNodeInsertedInternal function in WebKit/Source/core/dom/ContainerNode.cpp and can be triggered via DOMCharacterDataModified events for certain detached-subtree insertions.

Vulnerability (11) related to CJBig2_SymbolDict class in fxcodec/jbig2/JBig2_SymbolDict.cpp and can be triggered via JBIG2 compressed data.

Vulnerability (13) related to browser/ui/views/website_settings/website_settings_popup_view.cc.

Vulnerability (14) related to FontData::Bound function in data/font_data.cc and can be triggered via offset or kength values within font data in the container.

Vulnerability (15) related to Document::open function in WebKit/Source/core/dom/Document.cpp shich doesn’t ensure that page-dismissal event handling is compatible with modal-dialog blocking.

Vulnerability (16) FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in Android 5.x and 6.x which improperly search EOCD record.

Vulnerability (17) caused by mishandling Mark of the Web comments for URLs containing «—» sequence.

Vulnerability (18) caused by CSPSource::hostMatches and CSPSourceList::matches dunctions at WebKit/Source/core/frame/csp/CSPSource.cpp and CSPSourceList.cpp respectively which accepts an x.y hostname as a match for a *.x.y pattern () for first of merged vulnerabilities and accepts a blob:, data:, or filesystem: URL as a match for a * pattern for second.

Vulnerability (20) related to AudioOutputDevice::OnDeviceAuthorized function in media/audio/audio_output_device.cc and can be triggered via access to an unauthorized audio output devices.

Vulnerability (21) related to VideoFramePool::PoolImpl::CreateFrame function in media/base/video_frame_pool.cc which does not initialize memory for video-frame data. This vulnerability can be triggered via leveraging improper interaction with the vp3_h_loop_filter_c function in libavcodec/vp3dsp.c in FFmpeg

Google Chrome versions earlier than 47.0.2526.73 (all branches)

Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.
Get Chrome

The following public exploits exists for this vulnerability:

https://www.exploit-db.com/exploits/39165

https://www.exploit-db.com/exploits/39162

https://www.exploit-db.com/exploits/39163