TTCSIRT-149.072718: TT-CSIRT Advisory – Chrome Security Updates

TTCSIRT-149.072718: TT-CSIRT Advisory – Chrome Security Updates

Google has released a security update stating that the following vulnerabilities have been discovered in Google Chrome:

a) CORS bypass in Blink – (CVE-2018-6168)

b) Cross origin information leak in Blink – (CVE-2018-4117, CVE-2018-6177)

c) Heap buffer overflow in WebGL – (CVE-2018-6154, CVE-2018-6162)

d) Heap buffer overflow in WebRTC – (CVE-2018-6156)

e) Integer overflow in SwiftShader – (CVE-2018-6174)

f) Local file information leak in Extensions – (CVE-2018-6179)

g) Local user privilege escalation in Extensions – (CVE-2018-6176)

h) Permissions bypass in extension installation – (CVE-2018-6169)

i) Request privilege escalation in Extensions – (CVE-2018-6044)

j) Same origin policy bypass in ServiceWorker – (CVE-2018-6159, CVE-2018-6164)

k) Same origin policy bypass in WebAudio – (CVE-2018-6161)

l) Stack buffer overflow in Skia – (CVE-2018-6153)

m) Type confusion in PDFium – (CVE-2018-6170)

n) Type confusion in WebRTC – (CVE-2018-6157)

o) UI spoof in Extensions – (CVE-2018-6178)

p) URL spoof in Chrome on iOS – (CVE-2018-6160)

q) URL spoof in Omnibox – (CVE-2018-6163)

r) Use after free in Blink – (CVE-2018-6158)

s) Use after free in WebBluetooth – (CVE-2018-6171)

t) Use after free in WebRTC – (CVE-2018-6155)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions or cause denial-of-service conditions.

Further information on these vulnerabilities and how they can be mitigated can be found on the Google Chrome Website at https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html