Google Chrome < 57.0.2987.98 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9991

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 57.0.2987.98, and is affected by multiple vulnerabilities :

- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified, high severity impact. No further details have been provided by the vendor. (OSVDB 153329)
- Integer overflow conditions exist in the 'TrackFragmentRun::Parse()' function in 'media/formats/mp4/box_definitions.cc' that are triggered when parsing track fragments in MP4 content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 153332)
- A use-after-free condition exists that is triggered as GuestView objects inherit the prototypes from the global JS object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 153334)
- A use-after-free error exists in 'guest_view_internal_custom_bindings.cc' that is triggered when handling the GuestViewContainer pointer during a GuestView attach operation. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 153335)
- An unspecified flaw exists in the XSS auditor that may allow a context-dependent attacker to disclose information. No further details have been provided by the vendor. (OSVDB 153336)
- A flaw exists in the 'Document::initContentSecurityPolicy()' function in 'dom/Document.cpp' that is triggered as local schemes do not inherit the content security policy when using e.g. 'window.open()'. This may allow a context-dependent attacker to bypass the content security policy. (OSVDB 153337)
- A flaw exists in 'bindings/templates/interface_base.cpp.tmpl' that is triggered when handling author scripts interacting with 'Symbol.toPrimitive' properties of Location objects. This may allow a context-dependent attacker to disclose information. (OSVDB 153340)
- A flaw exists in the Omnibox address bar that may allow a context-dependent attacker to spoof an address. No further details have been provided by the vendor. (OSVDB 153341)
- An unspecified flaw exists in the Cast feature that is triggered when handling cookies. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 153342)
- A flaw exists in the 'SVGInlineTextBoxPainter::shouldPaintSelection()' function in 'paint/SVGInlineTextBoxPainter.cpp' that is triggered when painting selections and rendering a mask, clip-path, pattern, or feImage. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 153343)
- A flaw exists that is triggered as wrapper objects are shared across window contexts when handling InputDeviceCapabilities objects. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 153344)
- A flaw exists in the 'DOMWindow' class in 'frame/DOMWindow.cpp' that is triggered as wrappers for external APIs are shared between window contexts. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 153345)
- A use-after-free condition exists in the handling of ShaderDiskCache entries in 'gpu/ipc/host/shader_disk_cache.cc' that is triggered when deleting an entry before the backend has finished opening the entry. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 153346)
- A flaw exists in 'layout/FloatingObjects.cpp' that is triggered when handling the 'shouldPaint' property in the 'FloatingObject' class. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 153347)
- A flaw exists in a 'TraceInCollectionTrait' class template in 'TraceTraits.h' that is triggered when handling container sizes during HeapVectorBacking tracing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 153348)
- A flaw exists in the 'NavigationControllerImpl::RendererDidNavigateToExistingPage()' function in 'navigation_controller_impl.cc' that is triggered when handling data from the renderer process. This may allow a context-dependent attacker to have an unspecified impact on the security UI. (OSVDB 153349)
- A race condition exists that is triggered as the 'PlayStateUpdateScope' destructor resolves promises synchronously inside a forbidden scope. This may allow a context-dependent attacker to execute script code in a forbidden scope. (OSVDB 153350)
- A flaw exists that is triggered when handling 'childBrowsingContexts' upon named window access. This may allow a context-dependent attacker to have an unspecified impact on the same-origin restriction. (OSVDB 153353)
- A flaw exists related to the sandbox Content Security Policy that is triggered when web content is being loaded. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 153354)
- A flaw exists in the handling of timeout limits for foreign fetch events that are triggered by another service worker. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 153386)

Solution

Update the Chrome browser to 57.0.2987.98 or later.

See Also

https://chromium.googlesource.com/chromium/src/+/90824416d3eeae5ec6013b250123df65e9d48032

Plugin Details

Severity: Critical

ID: 9991

File Name: 9991.prm

Family: Web Clients

Published: 2017/03/10

Modified: 2017/03/21

Dependencies: 4645

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2017/03/09

Vulnerability Publication Date: 2016/12/22

Reference Information

CVE: CVE-2017-5033, CVE-2017-5035, CVE-2017-5037, CVE-2017-5038, CVE-2017-5041, CVE-2017-5042, CVE-2017-5043, CVE-2017-5045, CVE-2017-5046

BID: 96767

OSVDB: 153329, 153332, 153334, 153335, 153336, 153337, 153340, 153341, 153342, 153343, 153344, 153345, 153346, 153347, 153348, 153349, 153350, 153353, 153354, 153386