March 23, 2019

Google Fixes High Priority Security Vulnerabilities with new Release of Chrome

(LiveHacking.Com) – Google has released Chrome 18.0.1025.168 on Windows, Mac and Linux to fix several High priority security bugs. Under Google’s ranking scheme a vulnerability is of ‘High’ severity when it could let an attacker read or modify confidential data belonging to other web sites or execute arbitrary code within the confines of the sandbox. Google also rate vulnerabilities that interfere with browser security features (e.g. that can disrupt the location bar and lock icon) are also high severity.

This release fixes five security vulnerabilities of which three are rated as High. All the High rated vulnerabilities are related to use after free conditions which are often used as the starting point of an exploit to execute arbitrary code on the victim’s computer. One of the vulnerabilities was found by security researcher miaubiz who received $1000 under the Chromium Vulnerability Rewards Program.

The full list of fixes is as follows:

  • [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
  • [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by  wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
  • [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
  • [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.
  • [$1000] [121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

Note that the referenced bugs may be kept private by Google  until a majority of Chrome users are up to date with the fix.


Google Updates Chrome Again to Fix Seven High Risk Vulnerabilities

(LiveHacking.Com) – Google has updated Chrome to 18.0.1025.151 to fix some bugs, add a new version of Flash and fix twelve security vulnerabilities. The new release, which is available for Windows, Mac and Linux is Google’s second release in just eight days. As part of its security reward program, Google paid out $6000 to security researchers for their efforts in making Google Chrome safer.

Seven of the tweleve vulnerabilities are rated as “high,” the second-most-serious ranking in Google’s scoring system. Of the remaining, four were marked “medium” and one was labeled “low.” All of the high risk vulnerabilities are use-after-free bugs in various parts of the Chrome code including in line box handling, v8 bindings, HTMLMediaElement and focus handling.

The full list of fixes is:

  • [$500] [106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz.
  • [117583] Medium CVE-2011-3067: Cross-origin iframe replacement. Credit to Sergey Glazunov.
  • [$1000] [117698] High CVE-2011-3068: Use-after-free in run-in handling. Credit to miaubiz.
  • [$1000] [117728] High CVE-2011-3069: Use-after-free in line box handling. Credit to miaubiz.
  • [118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit to Google Chrome Security Team (SkyLined).
  • [118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement. Credit to pa_kt, reporting through HP TippingPoint ZDI (ZDI-CAN-1528).
  • [118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up window. Credit to Sergey Glazunov.
  • [$1000] [118593] High CVE-2011-3073: Use-after-free in SVG resource handling. Credit to Arthur Gerkis.
  • [$500] [119281] Medium CVE-2011-3074: Use-after-free in media handling. Credit to Sławomir Błażek.
  • [$1000] [119525] High CVE-2011-3075: Use-after-free applying style command. Credit to miaubiz.
  • [$1000] [120037] High CVE-2011-3076: Use-after-free in focus handling. Credit to miaubiz.
  • [120189] Medium CVE-2011-3077: Read-after-free in script bindings. Credit to Google Chrome Security Team (Inferno).

Note: Google may keep the referenced bugs secret until a majority of Chrome users are up to date with the fix.

Other things

This release also fixes the following issues:

  • black screen on Hybrid Graphics system with GPU accelerated compositing enabled (Issue: 117371)
  • CSS not applied to <content> element (Issue: 114667)
  • Regression rendering a div with background gradient and borders (Issue: 113726)
  • Canvas 2D line drawing bug with GPU acceleration (Issue: 121285)
  • Multiple crashes (Issues: 72235116825 and 92998)
  • Pop-up dialog is at wrong position (Issue: 116045)
  • HTML Canvas patterns are broken if you change the transformation matrix (Issue: 112165)
  • SSL interstitial error “proceed anyway” / “back to safety” buttons don’t work (Issue: 119252)

Known Issues:

  • HTML5 audio doesn’t work on some Mac computers (Issue: 109441)

A new version of Flash Player is included in this release, more details are available in an addendum to the following Flash Player advisory.

Google Hands Out $4500 in Rewards for Chrome 17.0.963.83

(LiveHacking.Com) – Google has released Chrome 17.0.963.83 to fix several ‘High’ level security bugs. In doing so it handed out $4500 to security researchers who found and reported security related bugs in Google’s web browser. The new update also include the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Security fixes and rewards:

  • [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
  • [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
  • [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
  • [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
  • [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
  • [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
  • [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
  • [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google also listed a low severity issue that was fixed in a previous patch but the company had forgotten to issue a proper credit:

  • [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

 

Google Chrome Browser First to Fall at Pwn2Own 2012

(LiveHacking.Com) – Google spends a lot of time, effort and money on making Chrome as secure as possible. However software can never been 100% secure. This was proved during this year’s CanSecWest Pwn2Own hacker contest where Chrome was the first browser to fall to the hackers.

A team of French hackers from VUPEN, which sells vulnerabilities and exploits to government customers, took down Chrome due to an impressive set of exploits. VUPEN co-founder and head of research Chaouki Bekrar and his team attacked Chrome via a pair of zero-day vulnerabilities to take complete control of a 64-bit Windows 7 PC with all the latest Microsoft patches applied. The team worked for six weeks prior to the competition to find the vulnerabilities and write the exploits.

In an interview, Bekrar said “We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

According to Bekrar, who declined to say if any of the exploits targeted third-party code (like Adobe Flash), the exploit used a use-after-free vulnerability in the default installation of Chrome. To launch the hack the team created a web page booby-trapped with the exploit code. Once the target page was opened in Chrome, the exploit ran and opened the Calculator (calc.exe) and so demonstrated that the exploit bypassed Chrome’s sandbox and had direct access to Windows.

The most controversial aspect of all this is that VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape but intends to keep it private for its customers. This goes against the whole ethos of security research and full disclosure.

VUPEN isn’t only hacking Chrome, the company says it also has exploits for Microsoft Internet Explorer, Apple Safari and Mozilla Firefox.

Google Pay Out $47,500 in Rewards For Security Bugs Found and Fixed in Chrome 17.0.963.65

(LiveHacking.Com) – Google has released Chrome 17.0.963.65 for Windows, Linux and Mac which fixes a number security related and non-security related bugs. Along the way, Google gave out an extra $30,000 as special rewards for some special bugs. Including a further 14 rewards, for other security related bugs, Google paid out of $47,000 to security researchers for helping make Chrome more secure.

The three special bug finds are:

  1. [$10,000] [116661] Rockstar CVE-1337-d00d1: Excessive WebKit fuzzing. Credit to miaubiz.
  2. [$10,000] [116662] Legend CVE-1337-d00d2: Awesome variety of fuzz targets. Credit to Aki Helin of OUSPG.
  3. [$10,000] [116663] Superhero CVE-1337-d00d3: Significant pain inflicted upon SVG. Credit to Arthur Gerkis.

To determine the above rewards, Google looked at bug finding performance over the past few months. The three named individuals stood out significantly

“We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. In this instance, we’re dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community” wrote Jason Kersey from Google.

The other security related bugs that are fix include:

  • [$1000] [105867] High CVE-2011-3031: Use-after-free in v8 element wrapper. Credit to Chamal de Silva.
  • [$1000] [108037] High CVE-2011-3032: Use-after-free in SVG value handling. Credit to Arthur Gerkis.
  • [$2000] [108406] [115471] High CVE-2011-3033: Buffer overflow in the Skia drawing library. Credit to Aki Helin of OUSPG.
  • [$1000] [111748] High CVE-2011-3034: Use-after-free in SVG document handling. Credit to Arthur Gerkis.
  • [$2000] [112212] High CVE-2011-3035: Use-after-free in SVG use handling. Credit to Arthur Gerkis.
  • [$1000] [113258] High CVE-2011-3036: Bad cast in line box handling. Credit to miaubiz.
  • [$3000] [113439] [114924] [115028] High CVE-2011-3037: Bad casts in anonymous block splitting. Credit to miaubiz.
  • [$1000] [113497] High CVE-2011-3038: Use-after-free in multi-column handling. Credit to miaubiz.
  • [$1000] [113707] High CVE-2011-3039: Use-after-free in quote handling. Credit to miaubiz.
  • [$500] [114054] High CVE-2011-3040: Out-of-bounds read in text handling. Credit to miaubiz.
  • [$1000] [114068] High CVE-2011-3041: Use-after-free in class attribute handling. Credit to miaubiz.
  • [$1000] [114219] High CVE-2011-3042: Use-after-free in table section handling. Credit to miaubiz.
  • [$1000] [115681] High CVE-2011-3043: Use-after-free in flexbox with floats. Credit to miaubiz.
  • [$1000] [116093] High CVE-2011-3044: Use-after-free with SVG animation elements. Credit to Arthur Gerkis.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

This release also fixes a number of non-security related issues including:

  • Cursors and backgrounds sometimes do not load (bug 111218)
  • Plugins not loading on some pages (bug 108228)
  • Text paste includes trailing spaces (bug 106551)
  • Websites using touch controls break (bug 110332)

Along with these fixes, the release contains an updated version of the Adobe Flash player (11.1.102.63). But at the time of writing Adobe hasn’t published any information about what has been fixed in this new version.

Google Releases Chrome 17 with Security Fixes and New Malicious Downloads Protection

(LiveHacking.Com) – Google has released a new version of its Chrome web browser with twenty security fixes and new functionality to try and protect users from malicious downloads. Chrome 17.0.963.46 fixes one Critical security bug, a race condition after crash of the utility process, eight “High” rated vulnerabilities with the remaining being marked as “Medium” or “Low”. Google paid out a total of $11,500 to researchers for their efforts in finding vulnerabilities.

Fixes included in this release include:

  • [73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste event. Credit to Daniel Cheng of the Chromium development community.
  • [92550] Low CVE-2011-3954: Crash with excessive database usage. Credit to Collin Payne.
  • [93106] High CVE-2011-3955: Crash aborting an IndexDB transaction. Credit to David Grogan of the Chromium development community.
  • [103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins inside extensions. Credit to Devdatta Akhawe, UC Berkeley.
  • [$1000] [104056] High CVE-2011-3957: Use-after-free in PDF garbage collection. Credit to Aki Helin of OUSPG.
  • [$2000] [105459] High CVE-2011-3958: Bad casts with column spans. Credit to miaubiz.
  • [$1000] [106441] High CVE-2011-3959: Buffer overflow in locale handling. Credit to Aki Helin of OUSPG.
  • [$500] [108416] Medium CVE-2011-3960: Out-of-bounds read in audio decoding. Credit to Aki Helin of OUSPG.
  • [$1000] [108871] Critical CVE-2011-3961: Race condition after crash of utility process. Credit to Shawn Goertzen.
  • [$500] [108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping. Credit to Aki Helin of OUSPG.
  • [109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image handling. Credit to Atte Kettunen of OUSPG.
  • [109245] Low CVE-2011-3964: URL bar confusion after drag + drop. Credit to Code Audit Labs of VulnHunt.com.
  • [109664] Low CVE-2011-3965: Crash in signature check. Credit to Sławomir Błażek.
  • [$1000] [109716] High CVE-2011-3966: Use-after-free in stylesheet error handling. Credit to Aki Helin of OUSPG.
  • [109717] Low CVE-2011-3967: Crash with unusual certificate. Credit to Ben Carrillo.
  • [$1000] [109743] High CVE-2011-3968: Use-after-free in CSS handling. Credit to Arthur Gerkis.
  • [$1000] [110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit to Arthur Gerkis.
  • [$500] [110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt. Credit to Aki Helin of OUSPG.
  • [$1000] [110374] High CVE-2011-3971: Use-after-free with mousemove events. Credit to Arthur Gerkis.
  • [110559] Medium CVE-2011-3972: Out-of-bounds read in shader translator. Credit to Google Chrome Security Team (Inferno).

Chrome 17 also enhances its use of Google’s Safe Browsing, a continuously-updated list of known phishing and malware websites, to include checking of executable downloads. Chrome checks executable downloads against a list of known good files and publishers. If a file isn’t from a known source, Chrome sends the URL and IP of the host and other meta data, such as the file’s hash and binary size, to Google. The file is automatically classified using machine learning analysis and the reputation and trustworthiness of files previously seen from the same publisher and website. Google then sends the results back to Chrome, which warns you if you’re at risk.

Chrome 17 also contains a number of new features including:

  • New Extensions APIs
  • Updated Omnibox Prerendering

Chrome 17.0.963.46 is available for Windows, Mac, Linux. More details on the update is available on the Chrome Blog.  Full details about what changes are in this release are available in the SVN revision log.

Google Releases Chrome 16.0.912.77 to Fix a Critical Security Vulnerability

(LiveHacking.Com) – Google has released Chrome 16.0.912.77 for Windows, Mac and Linux to fix a Critical use-after-free memory problem when using Safe Browsing navigation. The bug was found by Chamal de Silva who got over $3000 from Google for finding the problem.

The full list of security related bugs fixed is:

  • [$1000] [106484] High CVE-2011-3924: Use-after-free in DOM selections. Credit to Arthur Gerkis.
  • [$3133.7] [107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing navigation. Credit to Chamal de Silva. *
  • [108461] High CVE-2011-3928: Use-after-free in DOM handling. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415).
  • [$1000] [108605] High CVE-2011-3927: Uninitialized value in Skia. Credit to miaubiz.
  • [$1000] [109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder. Credit to Arthur Gerkis.

Note that the critcial bug 107182 was fixed in 16.0.912.75 but accidentally excluded from the release notes! Also note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix. Full details about what changes have been made in this release are available in the SVN revisions log.

 

 

Chrome 16.0.912.75 Fixes Buffer Overflow Vulnerabilities

(LiveHacking.Com) – Google has released Chrome 16.0.912.75 for Windows, Mac and Linux to fix a number of  security vulnerabilities. Under the  Vulnerability Rewards Program, Google paid out $2000 to security researchers for their time and effort in making Chrome more secure.

Fixes included:

  • [$1000] [106672] High CVE-2011-3921: Use-after-free in animation frames. Credit to Boris Zbarsky of Mozilla.
  • [$1000] [107128] High CVE-2011-3919: Heap-buffer-overflow in libxml. Credit to Jüri Aedla.
  • [108006] High CVE-2011-3922: Stack-buffer-overflow in glyph handling. Credit to Google Chrome Security Team (Cris Neckar).

Note that Google  keep the referenced bugs private until a majority of users have updated to the latest version.

Full details about what changes have been made in this release are available in the SVN revisions log.

Google Pays out $6000 to Security Researchers for Chrome 16

(LiveHacking.Com) – Google has released Chrome 16 (16.0.912.63) for Windows, Mac, and Linux. As well as improvements to Sync and the ability to create multiple profiles on a single instance of Chrome, Chrome 16 also contains some important security fixes.

The security fixes (and related awards) are:

  • [81753] Medium CVE-2011-3903: Out-of-bounds read in regex matching. Credit to David Holloway of the Chromium development community.
  • [95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to Google Chrome Security Team (Inferno).
  • [$500] [98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser. Credit to Aki Helin of OUSPG.
  • [$1000] [99016] High CVE-2011-3907: URL bar spoofing with view-source. Credit to Luka Treiber of ACROS Security.
  • [100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing. Credit to Aki Helin of OUSPG.
  • [101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. Credit to Google Chrome Security Team (scarybeasts) and Chu.
  • [101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video frame handling. Credit to Google Chrome Security Team (Cris Neckar).
  • [101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to Google Chrome Security Team (scarybeasts) and Robert Swiecki of the Google Security Team.
  • [$1000] [102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit to Arthur Gerkis.
  • [$1000] [103921] High CVE-2011-3913: Use-after-free in Range handling. Credit to Arthur Gerkis.
  • [$1000] [104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n handling. Credit to Sławomir Błażek.
  • [$1000] [104529] High CVE-2011-3915: Buffer overflow in PDF font handling. Credit to Atte Kettunen of OUSPG.
  • [$500] [104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross references. Credit to Atte Kettunen of OUSPG.
  • [105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher. Credit to Google Chrome Security Team (Marty Barbella).
  • [107258] High CVE-2011-3904: Use-after-free in bidi handling. Credit to Google Chrome Security Team (Inferno) and miaubiz.
Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.

 

Google Releases Chrome 15.0.874.121

(LiveHacking.Com) – Google is continuing with its fast paced development of the Chrome web browser, not only with the major point releases, but also with bug and security fixes to the current stable version. To this end it has just released Chrome 15.0.874.121 for Windows, Mac and Linux. The new version updates the V8 Javascript engine (to 3.5.10.24) and fixes a SVG regression bug that appeared in the last release.

However, most importantly, this release also fixes a “High” risk security error in the V8 Javascript engine which resulted in an out-of-bounds write. Such memory errors are a potential foothold for hackers to run arbitrary code in the browser and so install malware on a PC.

Christian Holler was rewarded $1000 for finding this V8 error under Google’s Chromium Security reward scheme.