Google Chrome < 52.0.2743.82 Multiple Vulnerabilites

Critical Nessus Network Monitor Plugin ID 9480

Synopsis

The remote host is utilizing a web browser that is affected by multiple vulnerabilities.

Description

The version of Google Chrome installed on the remote host is prior to 52.0.2743.82, and is affected by multiple vulnerabilities :

- An out-of-bounds read flaw in the 'xmlParseEndTag2()' function in 'parser.c' is triggered when parsing an end tag. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw in the 'xmlNextChar()' function in 'parserInternals.c' is triggered when parsing characters in an XML file. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An overflow condition in the 'htmlParseName()' and 'htmlParseNameComplex()' functions of 'HTMLparser.c' is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- An integer overflow condition in the 'xmlParse3986Port()' function in 'uri.c' is triggered as user-supplied input is not properly validated when handling port numbers in the URL. This may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds under-read flaw in the 'xmlParseConditionalSections()' and 'xmlParseElementDecl()' functions in 'parser.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A format string flaw in multiple functionalities is triggered as string format specifiers (e.g. %s and %x) are not properly used. This may allow a context-dependent attacker to potentially execute arbitrary code or cause a denial of service in a process linked against the library.
- An out-of-bounds read flaw in the 'PairPosFormat1::sanitize()' function 'in hb-ot-layout-gpos-table.hh' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw in 'PPAPI' is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox.
- A flaw in 'web/web_state/ui/crw_web_controller.mm' is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks.
- A use-after-free error related to extensions may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An array indexing error in the 'ByteArray::Get()' function in 'data/byte_array.cc' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- A flaw in 'web/ChromeClientImpl.cpp' is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw in 'core/loader/FrameLoader.

Solution

Update the Chrome browser to 52.0.2743.82 or later.

See Also

http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

https://codereview.chromium.org/2010803004

Plugin Details

Severity: Critical

ID: 9480

Family: Web Clients

Published: 2016/08/12

Updated: 2019/03/06

Nessus ID: 92629

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 9.8

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2016/05/23

Vulnerability Publication Date: 2016/05/23

Reference Information

CVE: CVE-2015-8947

BID: 92039