SB2013052201 - Multiple vulnerabilities in Techland Chrome

Security Bulletin ID SB2013052201

Severity

High

Patch available

YES

Number of vulnerabilities 12

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2013-2840)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing unknown vectors, a different vulnerability than CVE-2013-2846. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Use-after-free (CVE-ID: CVE-2013-2841)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing vectors related to the handling of Pepper resources. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

3) Use-after-free (CVE-ID: CVE-2013-2843)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing vectors related to the handling of speech data. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Use-after-free (CVE-ID: CVE-2013-2844)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing vectors related to style resolution. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) Buffer overflow (CVE-ID: CVE-2013-2845)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The Web Audio implementation in Google Chrome before 27.0.1453.93 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

6) Use-after-free (CVE-ID: CVE-2013-2846)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing unknown vectors, a different vulnerability than CVE-2013-2840. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

7) Use-after-free (CVE-ID: CVE-2013-2847)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing unknown vectors. A remote attackers can cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

8) Cross-site scripting (CVE-ID: CVE-2013-2848)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Cross-site scripting (CVE-ID: CVE-2013-2849)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via vectors involving a (1) drag-and-drop or (2) copy-and-paste operation. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

10) Input validation error (CVE-ID: CVE-2013-2836)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple unspecified vulnerabilities in Google Chrome before 27.0.1453.93 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

11) Use-after-free (CVE-ID: CVE-2013-2837)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing unknown vectors. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

12) Resource management error (CVE-ID: CVE-2013-2839)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Google Chrome before 27.0.1453.93 does not properly perform a cast of an unspecified variable during handling of clipboard data, which allows remote attackers to cause a denial of service or possibly have other impact via unknown vectors.

Remediation

Install update from vendor's website.

SB2013052201 - Multiple vulnerabilities in Techland Chrome

Breakdown by Severity

Description

Remediation

References