SB2020120501 - Multiple vulnerabilities in Google Chrome

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2020-16037)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the clipboard component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Use-after-free (CVE-ID: CVE-2020-16038)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the media component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

3) Use-after-free (CVE-ID: CVE-2020-16039)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the extensions component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Input validation error (CVE-ID: CVE-2020-16040)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the system.

5) Out-of-bounds read (CVE-ID: CVE-2020-16041)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the networking component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and gain access to sensitive information.

6) Use of uninitialized resource (CVE-ID: CVE-2020-16042)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger uninitialized usage of resources and bypass implemented security mechanisms.

Remediation

Install update from vendor's website.

References

• https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html
• https://crbug.com/1142331
• https://crbug.com/1138683
• https://crbug.com/1149177
• https://crbug.com/1150649
• https://crbug.com/1151865
• https://crbug.com/1151890