SB2014031605 - Multiple vulnerabilities in Chrome

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2014-1700)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Use-after-free vulnerability in modules/speech/SpeechSynthesis.cpp in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of a certain utterance data structure.

2) Cross-site scripting (CVE-ID: CVE-2014-1701)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via vectors involving events. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Resource management error (CVE-ID: CVE-2014-1702)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Use-after-free vulnerability in the DatabaseThread::cleanupDatabaseThread function in modules/webdatabase/DatabaseThread.cpp in the web database implementation in Blink, as used in Google Chrome before 33.0.1750.149, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of scheduled tasks during shutdown of a thread.

4) Resource management error (CVE-ID: CVE-2014-1703)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Use-after-free vulnerability in the WebSocketDispatcherHost::SendOrDrop function in content/browser/renderer_host/websocket_dispatcher_host.cc in the Web Sockets implementation in Google Chrome before 33.0.1750.149 might allow remote attackers to bypass the sandbox protection mechanism by leveraging an incorrect deletion in a certain failure case.

Remediation

Install update from vendor's website.

References

• http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_11.html
• http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00008.html
• http://security.gentoo.org/glsa/glsa-201408-16.xml
• http://www.debian.org/security/2014/dsa-2883
• http://www.securitytracker.com/id/1029914
• https://code.google.com/p/chromium/issues/detail?id=344881
• https://src.chromium.org/viewvc/blink?revision=168171&view=revision
• https://code.google.com/p/chromium/issues/detail?id=342618
• https://src.chromium.org/viewvc/blink?revision=166999&view=revision
• https://code.google.com/p/chromium/issues/detail?id=333058
• https://src.chromium.org/viewvc/blink?revision=168059&view=revision
• https://code.google.com/p/chromium/issues/detail?id=338354
• https://src.chromium.org/viewvc/chrome?revision=247627&view=revision