----------------------------------------------------------------------

SC World Congress, New York, USA, 16 November 2011
Visit the Secunia booth (#203) and discover how you can improve your handling of third party programs:

http://secunia.com/resources/events/sc_2011/ 

----------------------------------------------------------------------

TITLE:
Google Chrome Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA46049

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46049/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46049

RELEASE DATE:
2011-09-19

DISCUSS ADVISORY:
http://secunia.com/advisories/46049/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/46049/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=46049

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
A security issue and some vulnerabilities have been reported in
Google Chrome, where some have an unknown impact and others can be
exploited by malicious people to conduct spoofing and cross-site
scripting attacks, disclose sensitive information, bypass certain
security restrictions, and compromise a user's system.

1) A race condition exists within the certificate cache.

2) An error within the Windows Media Player plugin can lead to
unintended access to system Flash.

3) An error exists within the v8 script object wrappers.

4) An unspecified error can be exploited to display arbitrary content
while showing the URL of a trusted web site in the address bar.

5) An error in the garbage collection component of the PDF plugin can
be exploited to corrupt memory.

6) The security issue is caused due to the Mac installer creating
lock files in an insecure manner.

NOTE: This only affects the Mac version.

7) An error within media buffers can be exploited to cause an
out-of-bounds read.

8) A use-after-free error exists within unload event handling.

9) A use-after-free error exists within the document loader.

10) An unspecified error when handling the forward button can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.

11) An error within box handling can be exploited to cause an
out-of-bounds read.

12) An error within the handling of Khmer characters can be exploited
to cause an out-of-bounds read.

13) An error within video handling can be exploited to cause an
out-of-bounds read.

14) An off-by-one error exists within v8.

15) A use-after-free error exists within the plug-in handler.

16) A use-after-free error exists within ruby and table style
handing.

17) An error within stylesheet handling can lead to a stale node.

18) An unspecified error within v8 can be exploited to violate the
cross-origin policy.

19) A use-after-free error exists within the focus controller.

20) A double free error exists within the handling of libxml XPath.

21) An unspecified error can lead to incorrect permissions being
assigned to non-gallery pages.

22) A use-after-free error exists within table style handling.

23) An error within the PDF component can lead to a bad string read.

24) An unspecified error can lead to unintended access of v8 built-in
objects.

25) An error when handling Tibetan characters can be exploited to
cause an out-of-bounds read.

26) An error when handling triangle arrays can be exploited to cause
an out-of-bounds read.

27) A type confusion error exists within v8 object sealing.

SOLUTION:
Upgrade to version 14.0.835.163.

PROVIDED AND/OR DISCOVERED BY:
5) Mario Gomes (C4SS!0 G0M3S).
10) Jordi Chancel.

The vendor credits:
1) Ryan Sleevi, Chromium development community.
2) electronixtar.
3, 7) Kostya Serebryany, Chromium development community.
4) kuzzcc.
6) Aaron Sigel, vtty.com.
8, 17) Arthur Gerkis.
9, 11, 12, 19, 22) miaubiz.
13, 25, 26) Inferno, Google Chrome Security Team.
14, 27) Christian Holler.
15) SkyLined, Google Chrome Security Team.
16) Slawomir Blazek, miaubiz, and Inferno, Google Chrome Security
Team.
18) Daniel Divricean.
20) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences.
21) Bernhard 'Bruhns' Brehm, Recurity Labs.
23) Aki Helin, OUSPG.
24) Sergey Glazunov.

ORIGINAL ADVISORY:
Google:
http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html

Jordi Chancel:
http://www.alternativ-testing.fr/blog/index.php?post/2011/Google-Chrome-Webkit-URL-Bar-Spoofing-SSL/TLS-Spoofing

Mario Gomes:
http://net-fuzzer.blogspot.com/2011/10/google-chrome-140835163-pdf-file.html

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------