SB2014052104 - Multiple vulnerabilities in Chrome

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2014-3803)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The SpeechInput feature in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to enable microphone access and obtain speech-recognition text without indication via an INPUT element with a -x-webkit-speech attribute.

2) Use-after-free (CVE-ID: CVE-2014-1743)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing crafted JavaScript code that triggers tree mutation. A remote attackers can cause a denial of service (application crash) or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

3) Input validation error (CVE-ID: CVE-2014-1744)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer overflow in the AudioInputRendererHost::OnCreateStream function in content/browser/renderer_host/media/audio_input_renderer_host.cc in Google Chrome before 35.0.1916.114 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large shared-memory allocation.

4) Use-after-free (CVE-ID: CVE-2014-1745)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp. A remote attackers can cause a denial of service or possibly have unspecified other impact.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) Buffer overflow (CVE-ID: CVE-2014-1746)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer.

6) Cross-site scripting (CVE-ID: CVE-2014-1747)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114,. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

7) Input validation error (CVE-ID: CVE-2014-1748)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame.

8) Input validation error (CVE-ID: CVE-2014-1749)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916.114 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

Remediation

Install update from vendor's website.

References

• http://blog.guya.net/2014/04/07/to-listen-without-consent-abusing-the-html5-speech/
• http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
• http://secunia.com/advisories/60372
• http://www.securityfocus.com/bid/67582
• https://code.google.com/p/chromium/issues/detail?id=360448
• https://src.chromium.org/viewvc/blink?revision=171373&view=revision
• http://lists.opensuse.org/opensuse-updates/2014-06/msg00023.html
• http://secunia.com/advisories/58920
• http://secunia.com/advisories/59155
• http://security.gentoo.org/glsa/glsa-201408-16.xml
• http://www.debian.org/security/2014/dsa-2939
• http://www.securitytracker.com/id/1030270
• https://code.google.com/p/chromium/issues/detail?id=356653
• https://src.chromium.org/viewvc/blink?revision=170702&view=revision
• https://code.google.com/p/chromium/issues/detail?id=359454
• https://src.chromium.org/viewvc/chrome?revision=261549&view=revision
• https://code.google.com/p/chromium/issues/detail?id=346192
• https://src.chromium.org/viewvc/blink?revision=167993&view=revision
• https://code.google.com/p/chromium/issues/detail?id=364065
• https://src.chromium.org/viewvc/chrome?revision=267280&view=revision
• https://code.google.com/p/chromium/issues/detail?id=330663
• https://src.chromium.org/viewvc/blink?revision=169499&view=revision
• http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html
• http://lists.opensuse.org/opensuse-updates/2016-03/msg00132.html
• http://support.apple.com/kb/HT6596
• http://www.ubuntu.com/usn/USN-2937-1
• https://code.google.com/p/chromium/issues/detail?id=331168
• https://src.chromium.org/viewvc/blink?revision=170625&view=revision
• https://code.google.com/p/chromium/issues/detail?id=374649