TTCSIRT-054.101917: TT-CSIRT Advisory – Chrome Security Updates

TTCSIRT-054.101917: TT-CSIRT Advisory – Chrome Security Updates

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could result in arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

a)UXSS with MHTML – (CVE-2017-5124)

b)Heap overfin Skia – (CVE-2017-5125)

c) Use after free in PDFium – (CVE-2017-5126)

d) Use after free in PDFium – (CVE-2017-5127)

e) Heap overflow in WebGL – (CVE-2017-5128)

f) Use after free in WebAudio – (CVE-2017-5129)

g) Incorrect stack manipulation in WebAssembly- (CVE-2017-5132)

h) Heap overfin libxml2 – (CVE-2017-5130)

i) Out of bounds write in Skia – (CVE-2017-5131)

j) Out of bounds write in Skia – (CVE-2017-5133)

k) UI spoofing in Blink – (CVE-2017-15386)

l) Content security bypass – (CVE-2017-15387)

m) Out of bounds read in Skia – (CVE-2017-15388)

n) URL spoofing in OmniBox – (CVE-2017-15389)

o) URL spoofing in OmniBox – (CVE-2017-15390)

p) Extension limitation bypass in Extensions – (CVE-2017-15391)

q) Incorrect registry key handling in PlatformIntegration – (CVE-2017-15392)

r) Referrer leak in Devtools – (CVE-2017-15393)

s) URL spoofing in extensions UI – (CVE-2017-15394)

t) Null pointer dereference in ImageCapture – (CVE-2017-15395)

Further information on these vulnerabilities and how they can be fixed can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2017-102/