KLA10703 Multiple vulnerabilities in Google Chrome

Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, spoof user interface, bypass security restrictions or execute arbitrary code.

Below is a complete list of vulnerabilities

1. Improper array elements handling at Google V8 can be exploited remotely via a specially designed JavaScript code to cause denial of service;
2. Use-after-free vulnerabilities can be exploited remotely via a AppCache manipulations to cause denial of service;
3. An unknown vulnerability at DOM can be exploited remotely to bypass Same Origin Policy;
4. Improper proxy handling at WebKit can be exploited remotely via window proxy manipulations to bypass Same Origin Policy;
5. Lack of URL restrictions at Blink can be exploited remotely via a specially designed JavaScript to bypass Same Origin Policy;
6. Improper graphics handling in Skia can be exploited remotely via a specially designed graphics data to cause denial of service;
7. Use-after-free vulnerability at Extensions can be exploited remotely via a specially designed JavaScript to cause denial of service;
8. Improper signatures handling at PDFium can be exploited remotely via vectors related to type confusion to cause denial of service;
9. Improper JPEG at PDFium handling can be exploited remotely via a specially designed JPEG 2000 data to cause denial of service;
10. Use-after-free at DOM can be exploited remotely via DOM manipulations to cause denial of service;
11. An unknown vulnerability at PDFium can be exploited remotely via a specially design PDF document to cause denial of service;
12. Lack of chrome: URLs restrictions at PDFium can be exploited remotely via a specially designed PDF document to bypass security restrictions;
13. Use-after-free vulnerability at Infobars can be exploited remotely via a specially designed web site to cause denial of service;
14. Integer overflow at Google sfntly can be exploited remotely via a specially designed SFNT container to cause denial of service;
15. Improper modal-dialog handling at WebKit can be exploited remotely via a specially designed web site to spoof Omnibox content;
16. Improper ZIP implementation at Crazy Linker can be exploited remotely via a specially design ZIP archive too bypass signature validation restrictions; (Android)
17. Improper URLs handling at page serializer can be exploited remotely via a specially designed URL to inject arbitrary HTML;
18. Improper hostnames matching implementation at Content Security Policy can be exploited remotely via policy manipulations;
19. An unknown vulnerabilities can be exploited remotely to cause denial of service;
20. Use-after-free vulnerability can be exploited remotely via audio device manipulations to cause denial of service;
21. Improper memory handling can be exploited remotely via a VideoFrames manipulations to cause denial of service

Technical details

Vulnerability (1) related to BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier which improperly loads array elements. Also same vulnerability merged to (1) caused by js/array.js improperly implements map and filter arrays operations. Exploitation of (1) can lead to out-of-bounds memory access.

There are three vulnerabilities merged into (2) related to content/browser/appcache/appcache_update_job.cc, content/browser/appcache/appcache_dispatcher_host.cc and other unknown places in AppCache. This vulnerability can be exploited via leveraging mishandling of AppCache update jobs, incorrect jobs behavior associated with duplicate cache selection or incorrect pointer maintenance associated with certain callbacks.

Vulnerability (4) related to provisional-load commit implementation in WebKit/Source/bindings/core/v8/WindowProxy.cpp and can be triggered via leveraging delay in window proxy cleaning.

Vulnerability (5) caused by DOM implementation which doesn’t prevend javascript: URL navigation while docunment is detached. This vulnerability can be exploited via JS code improperly interacts with a plugin.

Vulnerability (6) caused by convolution implementation which improper constrains row lengths.

Vulnerability (7) related to GetLoadTimes function in renderer/loadtimes_extension_bindings.cc and can be triggered via JS code modifying pointer used fir reporting loadTimes data.

Vulnerability (8) related to fpdfsdk/src/jsapi/fxjs_v8.cpp which doesn’t use signatures.

Vulnerability (9) related to opj_dwt_decode_1* functions in dwt.c in OpenJPEG and can be triggered via data that’s mishandling during discrete wavelet transform.

Vulnerability (10) related to ContainerNode::notifyNodeInsertedInternal function in WebKit/Source/core/dom/ContainerNode.cpp and can be triggered via DOMCharacterDataModified events for certain detached-subtree insertions.

Vulnerability (11) related to CJBig2_SymbolDict class in fxcodec/jbig2/JBig2_SymbolDict.cpp and can be triggered via JBIG2 compressed data.

Vulnerability (13) related to browser/ui/views/website_settings/website_settings_popup_view.cc.

Vulnerability (14) related to FontData::Bound function in data/font_data.cc and can be triggered via offset or kength values within font data in the container.

Vulnerability (15) related to Document::open function in WebKit/Source/core/dom/Document.cpp shich doesn’t ensure that page-dismissal event handling is compatible with modal-dialog blocking.

Vulnerability (16) FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in Android 5.x and 6.x which improperly search EOCD record.

Vulnerability (17) caused by mishandling Mark of the Web comments for URLs containing “–” sequence.

Vulnerability (18) caused by CSPSource::hostMatches and CSPSourceList::matches dunctions at WebKit/Source/core/frame/csp/CSPSource.cpp and CSPSourceList.cpp respectively which accepts an x.y hostname as a match for a *.x.y pattern () for first of merged vulnerabilities and accepts a blob:, data:, or filesystem: URL as a match for a * pattern for second.

Vulnerability (20) related to AudioOutputDevice::OnDeviceAuthorized function in media/audio/audio_output_device.cc and can be triggered via access to an unauthorized audio output devices.

Vulnerability (21) related to VideoFramePool::PoolImpl::CreateFrame function in media/base/video_frame_pool.cc which does not initialize memory for video-frame data. This vulnerability can be triggered via leveraging improper interaction with the vp3_h_loop_filter_c function in libavcodec/vp3dsp.c in FFmpeg

Original advisories

Google releases blog entry

Exploitation

Public exploits exist for this vulnerability.

Related products

Google-Chrome

CVE list

CVE-2015-6765 critical

CVE-2015-6766 critical

CVE-2015-6767 critical

CVE-2015-6768 critical

CVE-2015-6769 critical

CVE-2015-6770 critical

CVE-2015-6771 critical

CVE-2015-6772 critical

CVE-2015-6773 critical

CVE-2015-6774 critical

CVE-2015-6787 critical

CVE-2015-6785 warning

CVE-2015-6786 warning

CVE-2015-8480 critical

CVE-2015-8478 critical

CVE-2015-8479 critical

CVE-2015-6778 critical

CVE-2015-6777 critical

CVE-2015-6776 high

CVE-2015-6775 critical

CVE-2015-6782 warning

CVE-2015-6781 critical

CVE-2015-6780 high

CVE-2015-6779 warning

CVE-2015-6784 warning

CVE-2015-6783 warning

CVE-2015-6764 critical

Solution

Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.

Get Chrome

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• XSS/CSS

Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Google Chrome versions earlier than 47.0.2526.73 (all branches)