Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Google Chrome < 60.0.3112.78 Multiple Vulnerabilities

High

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 60.0.3112.78, and is affected by multiple vulnerabilities :

- A use-after-free error exists in IndexedDB due to improper handling of cursors during transactions. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-5091) - A use-after-free error exists in the PPAPI component that allows unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5092) - An unspecified flaw exists in Blink that is triggered when displaying JavaScript alerts in fullscreen mode. An unauthenticated, remote attacker can exploit this to spoof components in the user interface. (CVE-2017-5093) - A type confusion error exists in the 'Extensions Bindings' component that is triggered when passing event filters. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-5094) - An overflow condition exists in PDFium due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5095) - An unspecified flaw exists related to 'Android intents' that allows an unauthenticated, remote attacker to disclose sensitive user information. (CVE-2017-5096) - An out-of-bounds read error exists in Skia due to improper handling of verb arrays. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5097) - A use-after-free error exists in Google V8 that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5098) - An out-of-bounds write error exists in the PPAPI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5099) - A use-after-free error exists in the 'Chrome Apps' component that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2017-5100) - Multiple unspecified flaws exist in the OmniBox component that allow an unauthenticated, remote attacker to spoof URLs in the address bar. (CVE-2017-5101, CVE-2017-5105) - Multiple uninitialized memory use flaws exist in Skia that allow an unauthenticated, remote attacker to have an unspecified impact. (CVE-2017-5102, CVE-2017-5103) - Multiple unspecified flaws exist that allow an unauthenticated, remote attacker to spoof components in the user interface. (CVE-2017-5104, CVE-2017-5109) - A flaw exists in OmniBox that is triggered as domain names containing arbitrary Cyrillic letters are rendered in the address bar. An unauthenticated, remote attacker can exploit this, via a specially crafted domain name, to spoof the URL in the address bar. (CVE-2017-5106) - A flaw exists in the SVG filters component due to improper handling of floating point multiplication. An unauthenticated, remote attacker can exploit this, via a timing attack, to extract sensitive user information. (CVE-2017-5107) - A type confusion error exists in Google V8 that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2017-5108) - An unspecified flaw exists in the Payments dialog that allows an unauthenticated, remote attacker to spoof components in the user interface. (CVE-2017-5110) - A type confusion error exists in SQLite due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-7000)

Solution

Update the Chrome browser to 60.0.3112.78 or later.