Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2011-3875 CVE-2011-3876 CVE-2011-3878 CVE-2011-3879 CVE-2011-3880 CVE-2011-3882 CVE-2011-3883 CVE-2011-3884 CVE-2011-3885 CVE-2011-3887 CVE-2011-3888 CVE-2011-3889 CVE-2011-3890 CVE-2011-3891 CVE-2011-2845 |
| CWE-ID | CWE-20 CWE-362 CWE-416 CWE-565 CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU44559
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3875
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=88949
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70953
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12275
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU44560
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3876
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 15.0.874.102 does not properly handle downloading files that have whitespace characters at the end of a filename, which has unspecified impact and user-assisted remote attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=90217
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70954
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13042
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Race condition
EUVDB-ID: #VU44561
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3878
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Race condition in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker process initialization.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=94487
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70956
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12811
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU44562
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3879
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 15.0.874.102 does not prevent redirects to chrome: URLs, which has unspecified impact and remote attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=95374
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70957
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13246
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU44563
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3880
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 15.0.874.102 does not prevent use of an unspecified special character as a delimiter in HTTP headers, which has unknown impact and remote attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=95992
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70958
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12672
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU44564
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3882
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to media buffers. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=96292
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70960
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13266
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU44565
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3883
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to counters. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=96902
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70961
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13091
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU44566
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3884
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 15.0.874.102 does not properly address timing issues during DOM traversal, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=97148
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70962
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13196
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU44567
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3885
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to stale Cascading Style Sheets (CSS) token-sequence data. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=100059
http://code.google.com/p/chromium/issues/detail?id=97599
http://code.google.com/p/chromium/issues/detail?id=98064
http://code.google.com/p/chromium/issues/detail?id=98556
http://code.google.com/p/chromium/issues/detail?id=99294
http://code.google.com/p/chromium/issues/detail?id=99880
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
http://secunia.com/advisories/48274
http://secunia.com/advisories/48288
http://secunia.com/advisories/48377
http://www.securitytracker.com/id?1026774
http://exchange.xforce.ibmcloud.com/vulnerabilities/70963
http://exchange.xforce.ibmcloud.com/vulnerabilities/73804
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13216
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Reliance on Cookies without Validation and Integrity Checking
EUVDB-ID: #VU44568
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3887
CWE-ID:
CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=98407
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
http://secunia.com/advisories/48288
http://secunia.com/advisories/48377
http://www.securitytracker.com/id?1026774
http://exchange.xforce.ibmcloud.com/vulnerabilities/70965
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13179
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU44569
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3888
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to editing operations in conjunction with an unknown plug-in. A user-assisted remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=99138
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
http://secunia.com/advisories/48274
http://secunia.com/advisories/48288
http://secunia.com/advisories/48377
http://www.securitytracker.com/id?1026774
http://exchange.xforce.ibmcloud.com/vulnerabilities/70966
http://exchange.xforce.ibmcloud.com/vulnerabilities/73805
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13107
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Heap-based buffer overflow
EUVDB-ID: #VU44570
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3889
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in the Web Audio implementation in Google Chrome before 15.0.874.102. A remote attacker can use unknown vectors. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=99211
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70967
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12860
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU44571
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3890
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to video source handling. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 15.0.874.102.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=99553
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70968
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12286
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU44572
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3891
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 15.0.874.102 does not properly restrict access to internal Google V8 functions, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=100322
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://exchange.xforce.ibmcloud.com/vulnerabilities/70969
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13172
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Input validation error
EUVDB-ID: #VU44573
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-2845
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Google Chrome before 15.0.874.102 does not properly handle history data, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 15.0.874.0 - 15.0.874.101
External linkshttp://code.google.com/p/chromium/issues/detail?id=86758
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://support.apple.com/kb/HT5400
http://support.apple.com/kb/HT5503
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13044
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
