KLA10764 Multiple vulnerabilities in Google Chrome

Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions and obtain sensitive information.

Below is a complete list of vulnerabilities

1. Lack of URL’s restrictions at Blink can be exploited remotely via Content Security Policy (CSP) violation reports manipulations to obtain sensitive information;
2. An improper wrappers detection at Blink can be exploited remotely via a specially designed JavaScript to cause denial of service or conduct other unknown impact;
3. Multiple unspecified vulnerabilities at V8 can be exploited to cause denial of service or conduct other unknown impact;
4. Multiple unknown vulnerabilities can be exploited to cause denial of service or conduct other unknown impact;
5. Use-after-free vulnerability can be exploited remotely via image downloading manipulations to cause denial of service or conduct other unknown impact;
6. Lack of installation restrictions at Web Store can be exploited remotely via a specially designed web site to spoof user interface;
7. Use-after-free vulnerability at WebRTC can be exploited remotely via a specially designed API manipulations to cause denial of service or conduct other unknown impact;
8. Lack of Web APIs restrictions at Extensions can be exploited remotely via a specially designed platform app to bypass restrictions;
9. Improper calculations handling at Skia can be exploited remotely via a specially designed web site to obtain sensitive information;
10. Lack of integrity-check restrictions can be exploited remotely via resource loading manipulations to bypass security restrictions;
11. An improper objects lifetime handling can be exploited remotely to cause denial of service or conduct other unknown impacts;
12. Use-after-free vulnerability at Blink can be exploited remotely vi a specially designed web site or another unknown vectors to cause denial of service or conduct other unknown impact;
13. An improper properties handling at Extensions can be exploited remotely via a specially designed JavaScript to bypass security restrictions;
14. An improper messages handling at Pepper can be exploited remotely via a specially designed web site to bypass security restrictions;
15. An improper widget updates handling can be exploited remotely via a specially designed website to bypass security restrictions.

Technical details

Vulnerability (1) caused by CSP implementation which does not ignore URL’s path during ServiceWorker fetch. Success exploitation of this vulnerability can lead to disclosure of information about visited web pages by reading CSP violation reports. This vulnerability related to FrameFetchContext.cpp and ResourceFetcher.cpp

Vulnerability (2) caused by lack of detection whether anonymous block wrapper exists or not. This vulnerability related to WebKit/Source/core/layout/LayoutBlock.cpp

Vulnerability (5) can be exploited via an image download after a certain data structure is deleted. This vulnerability related to content/browser/web_contents/web_contents_impl.cc

Vulnerability (6) caused by Web Store inline installer implementation in Extensions UI which does not block installations upon deletion of an installation frame. Exploitation of this vulnerability can lead lead user to believing that installation request originated by next navigation target.

Vulnerability (7) related to browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc and can be exploited via leveraging incorrect reliance on the resource context pointer.

Vulnerability (8) related to extensions/renderer/resources/platform_app.js

Vulnerability (9) caused by mishandling of asctangent calculations and related to SkATan2_255 function in effects/gradients/SkSweepGradient.cpp

Vulnerability (10) caused by checking memory-cache information about integrity-check occurrences instead of integrity-check successes, and can be can be exploited via two loads of the same resource. Successful exploitation of this vulnerability can lead to bypass of Subresource Integrity protection. This vulnerability related to PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp

Vulnerability (11) caused by improper considering objects lifetimes and re-entrancy during OnDocumentElementCreated handling. This vulnerability related to extensions/renderer/render_frame_observer_natives.cc

Vulnerability (12) related to StyleResolver::appendCSSStyleSheet function in WebKit/Source/core/css/resolver/StyleResolver.cpp and can be exploited via triggering Cascade Style Sheets invalidation during certain subtree-removal action.

Vulnerability (13) can be exploited by JavaScript code which triggers an incorrect cast. This vulnerability related to extensions/renderer/v8_helpers.h and gin/converter.h

Vulnerability (14) caused by mishandle of nested message loops and related to PPB_Flash_MessageLoop_Impl::InternalRun function in content/renderer/pepper/ppb_flash_message_loop_impl.cc. Exploitation of this vulnerability can lead to Same Origin Policy Bypass.

Vulnerability (15) caused by mishandle of widget updates and caused by ContainerNode::parserRemoveChild function in WebKit/Source/core/dom/ContainerNode.cpp. Exploitation of this vulnerability can lead to Same Origin Bypass.

Original advisories

Google Chrome releases blog

Related products

Google-Chrome

CVE list

CVE-2016-1632 high

CVE-2016-1633 critical

CVE-2016-1638 high

CVE-2016-1639 critical

CVE-2016-1640 warning

CVE-2016-1641 critical

CVE-2016-1634 critical

CVE-2016-1635 critical

CVE-2016-1636 critical

CVE-2016-1637 warning

CVE-2016-1631 high

CVE-2016-1642 critical

CVE-2016-2843 critical

CVE-2016-1630 high

CVE-2016-2844 critical

CVE-2016-2845 warning

Solution

Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.

Get Chrome

Impacts

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Google Chrome versions earlier than 49.0.2623.75 (All branches)