Government of the Republic of Trinidad and Tobago
gov.tt

TTCSIRT-071.120817: TT-CSIRT Advisory – Chrome Security Updates

TTCSIRT-071.120817: TT-CSIRT Advisory – Chrome Security Updates

Google has reported several vulnerabilities with regards to Google Chrome which includes:

a) Out of bounds write in QUIC – (CVE-2017-15407)

b) Heap buffer overflow in PDFium – (CVE-2017-15408)

c) Out of bounds write in Skia – (CVE-2017-15409)

d) Use after free in PDFium – (CVE-2017-15410, CVE-2017-15411)

e) Use after free in libXML – (CVE-2017-15412)

f) Type confusion in WebAssembly – (CVE-2017-15413)

g) Pointer information disclosure in IPC call – (CVE-2017-15415)

h) Out of bounds read in Blink – (CVE-2017-15416)

i) Cross origin information disclosure in Skia – (CVE-2017-15417)

j) Use of uninitialized value in Skia – (CVE-2017-15418)

k) Cross origin leak of redirect URL in Blink – (CVE-2017-15419)

l) URL spoofing in Omnibox – (CVE-2017-15420)

m) Integer overflow in ICU – (CVE-2017-15422)

n) Issue with SPAKE implementation in BoringSSL – (CVE-2017-15423)

o) URL Spoof in Omnibox – (CVE-2017-15424, CVE-2017-15425, CVE-2017-15426)

p) Insufficient blocking of JavaScript in Omnibox – (CVE-2017-15427)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.

Further information on these vulnerabilities and how they can be fixed can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2017-123/