Google Chrome < 56.0.2924.76 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A web browser installed on the remote Windows host is affected by
multiple vulnerabilities.

Description :

The version of Google Chrome installed on the remote Windows host is
prior to 56.0.2924.76. It is, therefore, affected by the following
vulnerabilities :

- A cross-site scripting (XSS) vulnerability exists in the
Document::shutdown() function in dom/Document.cpp due to
a failure to clear the owner's widget for a frame. An
unauthenticated, remote attacker can exploit this, via a
specially crafted request, to execute arbitrary script
code in a user's browser session. (CVE-2017-5006)

- A cross-site scripting (XSS) vulnerability exists in the
Document::shutdown() function in dom/Document.cpp due to
a failure to properly suspend pages that are closing,
but not yet fully closed. An unauthenticated, remote
attacker can exploit this, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. (CVE-2017-5007)

- A cross-site scripting (XSS) vulnerability exists in the
compileAndRunPrivateScript() function in
PrivateScriptRunner.cpp due to a failure to properly
protect private scripts. An unauthenticated, remote
attacker can exploit this, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. (CVE-2017-5008)

- An out-of-bounds read error exists in the
UsingFlexibleMode() function in decoding_state.cc due to
improper handling of frames marked as using flexible
mode. An unauthenticated, remote attacker can exploit
this to execute arbitrary code. (CVE-2017-5009)

- A cross-site scripting (XSS) vulnerability exists in
css/FontFace.cpp due to improper handling of FontFace
objects. An unauthenticated, remote attacker can exploit
this, via a specially crafted request, to execute
arbitrary script code in a user's browser session.
(CVE-2017-5010)

- An information disclosure vulnerability exists in the
Devtools component due to improper front-end URL
handling. An unauthenticated, remote attacker can
exploit this to disclose arbitrary files.
(CVE-2017-5011)

- A heap buffer overflow condition exists in Google V8 in
the SetupAllocatingData() function in objects.h that
occurs when failing to allocate array buffer contents.
An unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2017-5012)

- A flaw exists in the ShouldFocusLocationBarByDefault()
function in ui/browser.cc that is triggered when
handling NTP navigations in non-selected tabs. An
unauthenticated, remote attacker can exploit this to
spoof the address. (CVE-2017-5013)

- A heap buffer overflow condition exists in Google Skia
due to improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2017-5014)

- An unspecified flaw exists in Omnibox that allows an
unauthenticated, remote attacker to spoof the address.
(CVE-2017-5015)

- A flaw exists in the updateVisibleValidationMessage()
function in html/HTMLFormControlElement.cpp related to
the form validation bubble being displayed for invisible
pages. An unauthenticated, remote attacker can exploit
this to spoof the UI. (CVE-2017-5016)

- An uninitialized memory access flaw exists in the webm
video processing implementation that allows an
unauthenticated, remote attacker to have an unspecified
impact. (CVE-2017-5017)

- A cross-site scripting (XSS) vulnerability exists in the
App Launcher component due to a failure to properly
validate parameters. An unauthenticated, remote attacker
can exploit this, via a specially crafted request, to
execute arbitrary script code in a user's browser
session. (CVE-2017-5018)

- A use-after-free error exists in the OnBeforeUnload()
function in render_frame_impl.cc. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code. (CVE-2017-5019)

- A cross-site scripting (XSS) vulnerability exists in
Blink due to a failure to properly validate input
related to chrome://downloads. An unauthenticated,
remote attacker can exploit this, via a specially
crafted request, to execute arbitrary script code in a
user's browser session. (CVE-2017-5020)

- A use-after-free error exists in the Extensions
component. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-5021)

- A security bypass vulnerability exists in
frame/csp/ContentSecurityPolicy.cpp that allows an
unauthenticated, remote attacker to bypass the content
security policy (CSP). (CVE-2017-5022)

- A type confusion flaw exists in the histogram collector
feature that is triggered when handling serialized
histograms. An unauthenticated remote attacker can
exploit this to crash the browser, resulting in a denial
of service condition. (CVE-2017-5023)

- A heap buffer overflow condition exists in FFmpeg in the
mov_read_uuid() function in libavformat/mov.c due to
improper handling of overly long UUIDs. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5024)

- A heap buffer overflow condition exists in FFmpeg in the
mov_read_hdlr() function in libavformat/mov.c due to
improper validation of user-supplied input when handling
titles. An unauthenticated, remote attacker can exploit
this to execute arbitrary code. (CVE-2017-5025)

- An unspecified flaw exists that allows an
unauthenticated, remote attacker to spoof the UI.
(CVE-2017-5026)

- An unspecified flaw exists in Blink that allows an
unauthenticated, remote attacker to bypass the content
security policy. (CVE-2017-5027)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?fcdefa5b

Solution :

Upgrade to Google Chrome version 56.0.2924.76 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true