Multiple vulnerabilities in Google Chrome



Published: 2018-03-06 | Updated: 2021-07-01
Risk High
Patch available YES
Number of vulnerabilities 27
CVE-ID CVE-2018-6064
CVE-2018-6060
CVE-2018-6061
CVE-2018-6062
CVE-2018-6065
CVE-2018-6066
CVE-2018-6057
CVE-2018-6063
CVE-2018-6067
CVE-2018-6068
CVE-2018-6069
CVE-2018-6070
CVE-2018-6071
CVE-2018-6072
CVE-2018-6073
CVE-2018-6074
CVE-2018-6075
CVE-2018-6076
CVE-2018-6077
CVE-2018-6078
CVE-2018-6079
CVE-2018-6080
CVE-2018-6081
CVE-2018-6082
CVE-2018-6083
CVE-2017-11215
CVE-2017-11225
CWE-ID CWE-843
CWE-416
CWE-362
CWE-122
CWE-190
CWE-20
CWE-119
CWE-120
CWE-404
CWE-121
CWE-284
CWE-264
CWE-19
CWE-385
CWE-451
CWE-200
CWE-79
Exploitation vector Network
Public exploit Vulnerability #5 is being exploited in the wild.
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 27 vulnerabilities.

1) Type confusion

EUVDB-ID: #VU11543

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6064

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free error

EUVDB-ID: #VU11558

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6060

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Race condition

EUVDB-ID: #VU11560

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6061

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to race condition in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU11561

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6062

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Integer overflow

EUVDB-ID: #VU11562

Risk: High

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-6065

CWE-ID: CWE-190 - Integer overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

6) Security restrictions bypass

EUVDB-ID: #VU11563

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6066

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to same origin bypass via canvas. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

EUVDB-ID: #VU11564

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6057

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory corruption

EUVDB-ID: #VU11565

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6063

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer overflow

EUVDB-ID: #VU11566

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6067

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Skia due to buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper resource shutdown

EUVDB-ID: #VU11567

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6068

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to object lifetime issues. A remote attacker can cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Stack-based buffer overflow

EUVDB-ID: #VU11568

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6069

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Skia due to stack-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper access control

EUVDB-ID: #VU11569

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6070

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to CSP bypass through extensions. A remote attacker can bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Heap-based buffer overflow

EUVDB-ID: #VU11570

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6071

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Skia due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Integer overflow

EUVDB-ID: #VU11571

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6072

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in PDFium due to integer overflow. A remote attacker can trigger buffer overflow and cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Heap-based buffer overflow

EUVDB-ID: #VU11573

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6073

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in WebGL due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper access control

EUVDB-ID: #VU11574

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6074

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to Mark-of-the-Web bypass. A remote attacker can bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Security restrictions bypass

EUVDB-ID: #VU11576

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6075

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to overly permissive cross origin downloads. A remote attacker can bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Data handling

EUVDB-ID: #VU11578

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6076

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in Blink due to incorrect handling of URL fragment identifiers. A remote attacker can cause the service to crash.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Timing attack

EUVDB-ID: #VU11581

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6077

CWE-ID: CWE-385 - Covert Timing Channel

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in SVG filters due to covert timing channel. A remote attacker can gain access to potentially sensitive information.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Spoofing attack

EUVDB-ID: #VU11582

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6078

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists in OmniBox due to URL spoof. A remote attacker can perform spoofing attack and obtain arbitrary data.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Information disclosure

EUVDB-ID: #VU11583

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6079

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in WebGL due to improper information control via texture data. A remote attacker can gain access to potentially sensitive information.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Information disclosure

EUVDB-ID: #VU11584

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6080

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in IPC call due to improper information control. A remote attacker can gain access to potentially sensitive information.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Cross-site scripting

EUVDB-ID: #VU11585

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6081

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists in interstitials due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Security restrictions bypass

EUVDB-ID: #VU11586

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6082

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to circumvention of port blocking. A remote attacker can bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Improper access control

EUVDB-ID: #VU11587

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6083

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to incorrect processing of AppManifests. A remote attacker can bypass security restrictions.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: 62.0.3202.89 - 64.0.3282.186

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Use-after-free error

EUVDB-ID: #VU9197

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11215

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a use-after-free error. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: before 65.0.3325.146

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Use-after-free error

EUVDB-ID: #VU9198

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11225

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a use-after-free error. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version Update to version 65.0.3325.146.

Vulnerable software versions

Google Chrome: before 65.0.3325.146

External links

http://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###