Описание
Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, spoof user interface, bypass security restrictions or execute arbitrary code.
Below is a complete list of vulnerabilities
- Improper array elements handling at Google V8 can be exploited remotely via a specially designed JavaScript code to cause denial of service;
- Use-after-free vulnerabilities can be exploited remotely via a AppCache manipulations to cause denial of service;
- An unknown vulnerability at DOM can be exploited remotely to bypass Same Origin Policy;
- Improper proxy handling at WebKit can be exploited remotely via window proxy manipulations to bypass Same Origin Policy;
- Lack of URL restrictions at Blink can be exploited remotely via a specially designed JavaScript to bypass Same Origin Policy;
- Improper graphics handling in Skia can be exploited remotely via a specially designed graphics data to cause denial of service;
- Use-after-free vulnerability at Extensions can be exploited remotely via a specially designed JavaScript to cause denial of service;
- Improper signatures handling at PDFium can be exploited remotely via vectors related to type confusion to cause denial of service;
- Improper JPEG at PDFium handling can be exploited remotely via a specially designed JPEG 2000 data to cause denial of service;
- Use-after-free at DOM can be exploited remotely via DOM manipulations to cause denial of service;
- An unknown vulnerability at PDFium can be exploited remotely via a specially design PDF document to cause denial of service;
- Lack of chrome: URLs restrictions at PDFium can be exploited remotely via a specially designed PDF document to bypass security restrictions;
- Use-after-free vulnerability at Infobars can be exploited remotely via a specially designed web site to cause denial of service;
- Integer overflow at Google sfntly can be exploited remotely via a specially designed SFNT container to cause denial of service;
- Improper modal-dialog handling at WebKit can be exploited remotely via a specially designed web site to spoof Omnibox content;
- Improper ZIP implementation at Crazy Linker can be exploited remotely via a specially design ZIP archive too bypass signature validation restrictions; (Android)
- Improper URLs handling at page serializer can be exploited remotely via a specially designed URL to inject arbitrary HTML;
- Improper hostnames matching implementation at Content Security Policy can be exploited remotely via policy manipulations;
- An unknown vulnerabilities can be exploited remotely to cause denial of service;
- Use-after-free vulnerability can be exploited remotely via audio device manipulations to cause denial of service;
- Improper memory handling can be exploited remotely via a VideoFrames manipulations to cause denial of service
Technical details
Vulnerability (1) related to BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier which improperly loads array elements. Also same vulnerability merged to (1) caused by js/array.js improperly implements map and filter arrays operations. Exploitation of (1) can lead to out-of-bounds memory access.
There are three vulnerabilities merged into (2) related to content/browser/appcache/appcache_update_job.cc, content/browser/appcache/appcache_dispatcher_host.cc and other unknown places in AppCache. This vulnerability can be exploited via leveraging mishandling of AppCache update jobs, incorrect jobs behavior associated with duplicate cache selection or incorrect pointer maintenance associated with certain callbacks.
Vulnerability (4) related to provisional-load commit implementation in WebKit/Source/bindings/core/v8/WindowProxy.cpp and can be triggered via leveraging delay in window proxy cleaning.
Vulnerability (5) caused by DOM implementation which doesn’t prevend javascript: URL navigation while docunment is detached. This vulnerability can be exploited via JS code improperly interacts with a plugin.
Vulnerability (6) caused by convolution implementation which improper constrains row lengths.
Vulnerability (7) related to GetLoadTimes function in renderer/loadtimes_extension_bindings.cc and can be triggered via JS code modifying pointer used fir reporting loadTimes data.
Vulnerability (8) related to fpdfsdk/src/jsapi/fxjs_v8.cpp which doesn’t use signatures.
Vulnerability (9) related to opj_dwt_decode_1* functions in dwt.c in OpenJPEG and can be triggered via data that’s mishandling during discrete wavelet transform.
Vulnerability (10) related to ContainerNode::notifyNodeInsertedInternal function in WebKit/Source/core/dom/ContainerNode.cpp and can be triggered via DOMCharacterDataModified events for certain detached-subtree insertions.
Vulnerability (11) related to CJBig2_SymbolDict class in fxcodec/jbig2/JBig2_SymbolDict.cpp and can be triggered via JBIG2 compressed data.
Vulnerability (13) related to browser/ui/views/website_settings/website_settings_popup_view.cc.
Vulnerability (14) related to FontData::Bound function in data/font_data.cc and can be triggered via offset or kength values within font data in the container.
Vulnerability (15) related to Document::open function in WebKit/Source/core/dom/Document.cpp shich doesn’t ensure that page-dismissal event handling is compatible with modal-dialog blocking.
Vulnerability (16) FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in Android 5.x and 6.x which improperly search EOCD record.
Vulnerability (17) caused by mishandling Mark of the Web comments for URLs containing «—» sequence.
Vulnerability (18) caused by CSPSource::hostMatches and CSPSourceList::matches dunctions at WebKit/Source/core/frame/csp/CSPSource.cpp and CSPSourceList.cpp respectively which accepts an x.y hostname as a match for a *.x.y pattern () for first of merged vulnerabilities and accepts a blob:, data:, or filesystem: URL as a match for a * pattern for second.
Vulnerability (20) related to AudioOutputDevice::OnDeviceAuthorized function in media/audio/audio_output_device.cc and can be triggered via access to an unauthorized audio output devices.
Vulnerability (21) related to VideoFramePool::PoolImpl::CreateFrame function in media/base/video_frame_pool.cc which does not initialize memory for video-frame data. This vulnerability can be triggered via leveraging improper interaction with the vp3_h_loop_filter_c function in libavcodec/vp3dsp.c in FFmpeg
Первичный источник обнаружения
Эксплуатация
Public exploits exist for this vulnerability.
Связанные продукты
Список CVE
- CVE-2015-6765 critical
- CVE-2015-6766 critical
- CVE-2015-6767 critical
- CVE-2015-6768 critical
- CVE-2015-6769 critical
- CVE-2015-6770 critical
- CVE-2015-6771 critical
- CVE-2015-6772 critical
- CVE-2015-6773 critical
- CVE-2015-6774 critical
- CVE-2015-6787 critical
- CVE-2015-6785 warning
- CVE-2015-6786 warning
- CVE-2015-8480 critical
- CVE-2015-8478 critical
- CVE-2015-8479 critical
- CVE-2015-6778 critical
- CVE-2015-6777 critical
- CVE-2015-6776 high
- CVE-2015-6775 critical
- CVE-2015-6782 warning
- CVE-2015-6781 critical
- CVE-2015-6780 high
- CVE-2015-6779 warning
- CVE-2015-6784 warning
- CVE-2015-6783 warning
- CVE-2015-6764 critical
Смотрите также
Узнай статистику распространения уязвимостей в своем регионе statistics.securelist.com