TTCSIRT-126.060418: TT-CSIRT Advisory – Chrome Security Updates

TTCSIRT-126.060418: TT-CSIRT Advisory – Chrome Security Updates

Google has released a security state stating that the following vulnerabilities have been discovered in Google Chrome:

a) Heap buffer overflow in Skia – (CVE-2018-6141, CVE-2018-6126)

b) Incorrect escaping of MathML in Blink – (CVE-2018-6145)

c) Incorrect mutability protection in WebAssembly – (CVE-2018-6131)

d) Leak of visited status of page in Blink – (CVE-2018-6137)

e) Out of bounds memory access in PDFium – (CVE-2018-6144)

f) Out of bounds memory access in V8 – (CVE-2018-6136, CVE-2018-6142, CVE-2018-6143)

g) Out of bounds memory access in WebRTC – (CVE-2018-6130, CVE-2018-6129)

h) Password fields not taking advantage of OS protections in Views – (CVE-2018-6147)

i) Referrer Policy bypass in Blink – (CVE-2018-6134)

j) Restrictions bypass in the debugger extension API – (CVE-2018-6140, CVE-2018-6139)

k) Type confusion in Blink – (CVE-2018-6124)

l) URL spoof in Omnibox – (CVE-2018-6133)

m) Use after free in Blink – (CVE-2018-6123)

n) Use after free in indexedDB – (CVE-2018-6127)

o) Use of uninitialized memory in WebRTC – (CVE-2018-6132)

p) uXSS in Chrome on iOS – (CVE-2018-6128)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.

Further information on these vulnerabilities and how they can be mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2018-059/