Google Chrome < 55.0.2883.75 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9829

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 55.0.2883.75, and is affected by multiple vulnerabilities :

- A flaw exists in the 'TIFFFetchDirectory()' function in 'tif_dirread.c' related to use of uninitialized memory. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An unspecified out-of-bounds write flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that allows a universal cross-site scripting (UXSS) attack. This flaw exists because the 'V8EventListener::getListenerFunction()' function in 'bindings/core/v8/V8EventListener.cpp' allows running the 'handleEvent' getter on forbidden script. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
- A use-after-free error exists in the 'Document::removeField()' function in 'fpdfsdk/javascript/Document.cpp' that is triggered when handling the removal of fields within a document. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified use-after-free error exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An integer overflow condition exists in 'core/fpdfapi/page/cpdf_page.cpp' that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.
- A use-after-free error exists in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling non-visible page unloading. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'CWeightTable::GetPixelWeightSize()' function in 'core/fxge/dib/fx_dib_engine.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that allows a UXSS attack. This flaw exists because the program permits frame swaps during frame detach. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
- A flaw exists in the DevTools component that is triggered as certain URLs are not properly validated. This may allow a context-dependent attacker to disclose the contents of arbitrary files.
- A flaw exists that allows a UXSS attack. The issue is triggered when handling triggered events during e.g. closing a color chooser for an input element. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
- A flaw exists that is triggered when handling 'chrome.tabs' API navigations and displaying the pending URL. This may allow a context-dependent attacker to spoof the omnibox address.
- A flaw exists in the 'NavigatorImpl::NavigateToEntry()' function in 'content/browser/frame_host/navigator_impl.cc' that is triggered when handling invalid URLs. This may allow a context-dependent attacker to spoof the omnibox address.
- A flaw exists that allows a UXSS attack. The issue is triggered when handling the 'use' SVG element and calling event listeners on a cloned node. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website.
- A flaw exists that is triggered when downloading files using e.g. data: URIs, unknown URL schemes, and overly long URLs. This may allow a context-dependent attacker to cause a file to be downloaded without the mark-of-the-web applied.
- A flaw exists in the 'HTMLFormElement::scheduleFormSubmission()' function in 'html/HTMLFormElement.

Solution

Update the Chrome browser to 55.0.2883.75 or later.

See Also

https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html

Plugin Details

Severity: Critical

ID: 9829

Family: Web Clients

Published: 2016/12/16

Updated: 2019/03/06

Nessus ID: 95481

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 9.8

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2016/12/01

Vulnerability Publication Date: 2016/10/09

Reference Information

CVE: CVE-2016-5203

BID: 94633