Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2011-0777 CVE-2011-0779 CVE-2011-0780 CVE-2011-0781 CVE-2011-0783 CVE-2011-0784 |
| CWE-ID | CWE-416 CWE-20 CWE-362 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU45365
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0777
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to image loading. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 9.0.597.84.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=55831
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://secunia.com/advisories/43368
https://www.debian.org/security/2011/dsa-2166
https://www.vupen.com/english/advisories/2011/0408
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14514
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU45366
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0779
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=62791
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://secunia.com/advisories/43782
https://www.debian.org/security/2011/dsa-2192
https://www.vupen.com/english/advisories/2011/0671
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14540
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU45367
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0780
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The PDF event handler in Google Chrome before 9.0.597.84 does not properly interact with print operations, which allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=64051
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14530
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU45368
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0781
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 9.0.597.84 does not properly handle autofill profile merging, which has unspecified impact and remote attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14413
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU45369
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0783
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Unspecified vulnerability in Google Chrome before 9.0.597.84 allows user-assisted remote attackers to cause a denial of service (application crash) via vectors involving a "bad volume setting."
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=68244
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://secunia.com/advisories/43368
https://www.debian.org/security/2011/dsa-2166
https://www.vupen.com/english/advisories/2011/0408
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14730
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Race condition
EUVDB-ID: #VU45370
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-0784
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Race condition in Google Chrome before 9.0.597.84 allows remote attackers to execute arbitrary code via vectors related to audio.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 9.0.597.0 - 9.0.597.83
CPE2.3- cpe:2.3:a:google:google_chrome:9.0.597.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:9.0.597.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=69195
https://googlechromereleases.blogspot.com/2011/02/stable-channel-update.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14108
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
