Google Chrome < 55.0.2883.75 Multiple Vulnerabilities (macOS)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.

Description :

The version of Google Chrome installed on the remote macOS or Mac OS X
host is prior to 55.0.2883.75. It is, therefore, affected by the
following vulnerabilities :

- A use-after-free error exists in PDFium in the
Document::removeField() function within file
fpdfsdk/javascript/Document.cpp when removing fields
within a document. An unauthenticated, remote attacker
can exploit this to dereference already freed memory,
resulting in the execution of arbitrary code.
(CVE-2016-5203)

- A universal cross-site scripting (XSS) vulnerability
exists in Blink due to improper handling of the 'use'
SVG element when calling event listeners on a cloned
node. An unauthenticated, remote attacker can exploit
this to execute arbitrary script code in a user's
browser session. (CVE-2016-5204)

- A universal cross-site scripting (XSS) vulnerability
exists in Blink due to permitting frame swaps during
frame detach. An unauthenticated, remote attacker can
exploit this to execute arbitrary script code in a
user's browser session. (CVE-2016-5205)

- A security bypass vulnerability exists in PDFium due to
a flaw in the DocumentLoader::GetRequest() function
within file pdf/document_loader.cc when handling
redirects in the plugin. An unauthenticated, remote
attacker can exploit this to bypass the same-origin
policy. (CVE-2016-5206)

- A universal cross-site scripting (XSS) vulnerability
exists in Blink, specifically in the
V8EventListener::getListenerFunction() function within
file bindings/core/v8/V8EventListener.cpp, due to
allowing the 'handleEvent' getter to run on forbidden
scripts. An unauthenticated, remote attacker can exploit
this to execute arbitrary script code in a user's
browser session. (CVE-2016-5207)

- A universal cross-site scripting (XSS) vulnerability
exists in Blink due to improper handling of triggered
events (e.g., closing a color chooser for an input
element). An unauthenticated, remote attacker can
exploit this to execute arbitrary script code in a
user's browser session. (CVE-2016-5208)

- An out-of-bounds write error exists in Blink due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-5209)

- An out-of-bounds write error exists in PDFium in the
CWeightTable::GetPixelWeightSize() function within file
core/fxge/dib/fx_dib_engine.cpp. An unauthenticated,
remote attacker can exploit this to corrupt memory,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-5210)

- An unspecified use-after-free error exists in PDFium due
to improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
corrupt memory, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2016-5211)

- A unspecified flaw exists in the DevTools component due
to improper validation of certain URLs that allows an
unauthenticated, remote attacker to disclose the content
of arbitrary files. (CVE-2016-5212)

- Multiple use-after-free errors exist in the inspector
component in V8 that allow an unauthenticated, remote
attacker to execute arbitrary code. (CVE-2016-5213,
CVE-2016-5219)

- A file download protection bypass vulnerability exists
when downloading files that involve 'data:' URIs,
unknown URI schemes, or overly long URLs. An
unauthenticated, remote attacker can exploit this to
cause a file to be downloaded without applying the
mark-of-the-web. (CVE-2016-5214)

- A use-after-free error exists in WebAudio within file
content/renderer/media/renderer_webaudiodevice_impl.cc
due to improper handling of web audio. An
unauthenticated, remote attacker can exploit this to
dereference already freed memory, resulting in the
execution of arbitrary code. (CVE-2016-5215)

- A use-after-free error exists in PDFium, specifically
within file pdf/pdfium/pdfium_engine.cc, due to improper
handling of non-visible page unloading. An
unauthenticated, remote attacker can exploit this to
dereference already freed memory, resulting in the
execution of arbitrary code. (CVE-2016-5216)

- A flaw exists in PDFium due to the use of unvalidated
data by the PDF helper extension. An authenticated,
remote attacker can exploit this to have an unspecified
impact. No other details are available. (CVE-2016-5217)

- A flaw exists when handling chrome.tabs API navigations
and displaying the pending URL. An unauthenticated,
remote attacker can exploit this to spoof the Omnibox
address. (CVE-2016-5218)

- An information disclosure vulnerability exists in
PDFium, due to improper handling of 'file: navigation',
that allows an unauthenticated, remote attacker to
disclose local files. (CVE-2016-5220)

- An integer overflow condition exists in ANGLE due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
have an unspecified impact. (CVE-2016-5221)

- A flaw exists in the NavigatorImpl::NavigateToEntry()
function within file frame_host/navigator_impl.cc due to
improper handling of invalid URLs. An unauthenticated,
remote attacker can exploit this to spoof the Omnibox
address. (CVE-2016-5222)

- An integer overflow condition exists in PDFium within
file core/fpdfapi/page/cpdf_page.cpp that allows an
authenticated, remote attacker to have an unspecified
impact. No other details are available. (CVE-2016-5223)

- A security bypass vulnerability exists in the SVG
component due to denorm handling not being disabled
before calling Skia filter code. An unauthenticated,
remote attacker can exploit this to bypass the
same-origin policy. (CVE-2016-5224)

- A flaw exists in Blink, specifically in the
HTMLFormElement::scheduleFormSubmission() function
within file html/HTMLFormElement.cpp, due to improper
enforcement of the form-action CSP (Content Security
Policy). An unauthenticated, remote attacker can exploit
this to bypass intended access restrictions.
(CVE-2016-5225)

- A cross-site scripting (XSS) vulnerability exists in
Blink within file ui/views/tabs/tab_strip.cc due to
improper validation of input when dropping JavaScript
URLs on a tab. An unauthenticated, remote attacker can
exploit this to execute arbitrary script code in a
user's browser session. (CVE-2016-5226)

- An unspecified flaw exists that allows an
unauthenticated, remote attacker to disclose Content
Security Policy (CSP) referrers. (CVE-2016-9650)

- An unspecified flaw exists in V8 within lookup.cc that
allows unauthorized private property access. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-9651)

- Multiple other vulnerabilities exist, the most serious
of which can be exploited by an authenticated, remote
attacker to execute arbitrary code. (CVE-2016-9652)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?bfe6e9a5

Solution :

Upgrade to Google Chrome version 55.0.2883.75 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true