KLA10764
Multiple vulnerabilities in Google Chrome
Обновлено: 17/06/2019
Дата обнаружения
02/03/2016
Уровень угрозы
Critical
Описание

Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions and obtain sensitive information.

Below is a complete list of vulnerabilities

  1. Lack of URL’s restrictions at Blink can be exploited remotely via Content Security Policy (CSP) violation reports manipulations to obtain sensitive information;
  2. An improper wrappers detection at Blink can be exploited remotely via a specially designed JavaScript to cause denial of service or conduct other unknown impact;
  3. Multiple unspecified vulnerabilities at V8 can be exploited to cause denial of service or conduct other unknown impact;
  4. Multiple unknown vulnerabilities can be exploited to cause denial of service or conduct other unknown impact;
  5. Use-after-free vulnerability can be exploited remotely via image downloading manipulations to cause denial of service or conduct other unknown impact;
  6. Lack of installation restrictions at Web Store can be exploited remotely via a specially designed web site to spoof user interface;
  7. Use-after-free vulnerability at WebRTC can be exploited remotely via a specially designed API manipulations to cause denial of service or conduct other unknown impact;
  8. Lack of Web APIs restrictions at Extensions can be exploited remotely via a specially designed platform app to bypass restrictions;
  9. Improper calculations handling at Skia can be exploited remotely via a specially designed web site to obtain sensitive information;
  10. Lack of integrity-check restrictions can be exploited remotely via resource loading manipulations to bypass security restrictions;
  11. An improper objects lifetime handling can be exploited remotely to cause denial of service or conduct other unknown impacts;
  12. Use-after-free vulnerability at Blink can be exploited remotely vi a specially designed web site or another unknown vectors to cause denial of service or conduct other unknown impact;
  13. An improper properties handling at Extensions can be exploited remotely via a specially designed JavaScript to bypass security restrictions;
  14. An improper messages handling at Pepper can be exploited remotely via a specially designed web site to bypass security restrictions;
  15. An improper widget updates handling can be exploited remotely via a specially designed website to bypass security restrictions.

Technical details

Vulnerability (1) caused by CSP implementation which does not ignore URL’s path during ServiceWorker fetch. Success exploitation of this vulnerability can lead to disclosure of information about visited web pages by reading CSP violation reports. This vulnerability related to FrameFetchContext.cpp and ResourceFetcher.cpp

Vulnerability (2) caused by lack of detection whether anonymous block wrapper exists or not. This vulnerability related to WebKit/Source/core/layout/LayoutBlock.cpp

Vulnerability (5) can be exploited via an image download after a certain data structure is deleted. This vulnerability related to content/browser/web_contents/web_contents_impl.cc

Vulnerability (6) caused by Web Store inline installer implementation in Extensions UI which does not block installations upon deletion of an installation frame. Exploitation of this vulnerability can lead lead user to believing that installation request originated by next navigation target.

Vulnerability (7) related to browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc and can be exploited via leveraging incorrect reliance on the resource context pointer.

Vulnerability (8) related to extensions/renderer/resources/platform_app.js

Vulnerability (9) caused by mishandling of asctangent calculations and related to SkATan2_255 function in effects/gradients/SkSweepGradient.cpp

Vulnerability (10) caused by checking memory-cache information about integrity-check occurrences instead of integrity-check successes, and can be can be exploited via two loads of the same resource. Successful exploitation of this vulnerability can lead to bypass of Subresource Integrity protection. This vulnerability related to PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp

Vulnerability (11) caused by improper considering objects lifetimes and re-entrancy during OnDocumentElementCreated handling. This vulnerability related to extensions/renderer/render_frame_observer_natives.cc

Vulnerability (12) related to StyleResolver::appendCSSStyleSheet function in WebKit/Source/core/css/resolver/StyleResolver.cpp and can be exploited via triggering Cascade Style Sheets invalidation during certain subtree-removal action.

Vulnerability (13) can be exploited by JavaScript code which triggers an incorrect cast. This vulnerability related to extensions/renderer/v8_helpers.h and gin/converter.h

Vulnerability (14) caused by mishandle of nested message loops and related to PPB_Flash_MessageLoop_Impl::InternalRun function in content/renderer/pepper/ppb_flash_message_loop_impl.cc. Exploitation of this vulnerability can lead to Same Origin Policy Bypass.

Vulnerability (15) caused by mishandle of widget updates and caused by ContainerNode::parserRemoveChild function in WebKit/Source/core/dom/ContainerNode.cpp. Exploitation of this vulnerability can lead to Same Origin Bypass.

Пораженные продукты

Google Chrome versions earlier than 49.0.2623.75 (All branches)

Решение

Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.
Get Chrome

Первичный источник обнаружения
Google Chrome releases blog
Оказываемое влияние
?
OSI 
[?]

DoS 
[?]

SB 
[?]
Связанные продукты
Google Chrome
CVE-IDS
CVE-2016-16326.8High
CVE-2016-163310.0Critical
CVE-2016-16386.8High
CVE-2016-163910.0Critical
CVE-2016-16404.3Warning
CVE-2016-16419.3Critical
CVE-2016-16349.3Critical
CVE-2016-163510.0Critical
CVE-2016-16367.5Critical
CVE-2016-16374.3Warning
CVE-2016-16316.8High
CVE-2016-164210.0Critical
CVE-2016-284310.0Critical
CVE-2016-16306.8High
CVE-2016-28449.3Critical
CVE-2016-28455.0Critical