Kaspersky LabKLA10962KLA10962 Multiple vulnerabilities in Google Chrome
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.1 Medium
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
84.0%
Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to spoof user interface and cause a denial of service,bypass security restrictions.
Below is a complete list of vulnerabilities:
- Inability to prevent alerts from being displayed by swapped out frames can be exploited remotely via a specially designed HTML page to show alerts on a page attackers donβt control and spoof user interface;
- Heap corruption vulnerabilities in FFmpeg can be exploited remotely via a specially designed video file possibly to cause a denial of service;
- Type confusion vulnerability in Histogram can be exploited remotely via a specially designed HTML page possibly to cause a denial of service;
- Improper enforcing of unsafe-inline content security policy in Blink can be exploited remotely via a specially designed HTML page to bypass content security policy.
Technical details
Vulnerability (2) occurs because of incorrect bounds checking.
In case of exploiting vulnerability (3), a near null dereference causes a denial of service.
Original advisories
Stable Channel Update for Desktop
Related products
CVE list
CVE-2017-5022 warning
CVE-2017-5023 warning
CVE-2017-5024 warning
CVE-2017-5025 warning
CVE-2017-5026 warning
CVE-2017-5027 warning
Solution
Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.
Impacts
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- SUI
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
Affected Products
- Google Chrome earlier thanΒ 56.0.2924.76Β (All branches)
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.1 Medium
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
84.0%