Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2011-2345 CVE-2011-2346 CVE-2011-2347 CVE-2011-2348 CVE-2011-2349 CVE-2011-2350 CVE-2011-2351 |
| CWE-ID | CWE-125 CWE-416 CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU44905
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2345
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The NPAPI implementation in Google Chrome before 12.0.742.112 does not properly handle strings, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=77493
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14411
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU44906
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2346
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving SVG fonts. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=84355
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14103
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU44907
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2347
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 12.0.742.112 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=85003
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14649
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU44908
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2348
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google V8, as used in Google Chrome before 12.0.742.112, performs an incorrect bounds check, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=85177
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14324
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU44909
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2349
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to text selection. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=85418
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU44910
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2350
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The HTML parser in Google Chrome before 12.0.742.112 does not properly address "lifetime and re-entrancy issues," which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=85102
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://secunia.com/advisories/45097
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14479
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU44911
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-2351
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving SVG use elements. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 12.0.742.112.
Vulnerable software versionsGoogle Chrome: 12.0.742.0 - 12.0.742.111
CPE2.3- cpe:2.3:a:google:google_chrome:12.0.742.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:12.0.742.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=85211
https://googlechromereleases.blogspot.com/2011/06/stable-channel-update_28.html
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.html
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00004.html
https://secunia.com/advisories/45097
https://support.apple.com/kb/HT4981
https://support.apple.com/kb/HT4999
https://support.apple.com/kb/HT5000
https://www.securitytracker.com/id?1025730
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14053
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
