Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2011-3025 CVE-2011-3026 CVE-2011-3027 CVE-2011-3015 CVE-2011-3016 CVE-2011-3017 CVE-2011-3018 CVE-2011-3019 CVE-2011-3020 CVE-2011-3021 CVE-2011-3023 CVE-2011-3024 |
| CWE-ID | CWE-125 CWE-190 CWE-704 CWE-416 CWE-122 CWE-20 CWE-295 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU44268
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3025
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Google Chrome before 17.0.963.56 does not properly parse H.264 data, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=112670
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14869
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU44269
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3026
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=112822
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00023.html
http://secunia.com/advisories/48016
http://secunia.com/advisories/48110
http://secunia.com/advisories/49660
http://security.gentoo.org/glsa/glsa-201206-15.xml
http://support.apple.com/kb/HT5501
http://support.apple.com/kb/HT5503
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15032
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Type conversion
EUVDB-ID: #VU44270
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3027
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Google Chrome before 17.0.963.56 does not properly perform a cast of an unspecified variable during handling of columns, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=112847
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://secunia.com/advisories/48016
http://support.apple.com/kb/HT5400
http://support.apple.com/kb/HT5485
http://support.apple.com/kb/HT5503
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14955
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU44271
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3015
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple integer overflows in the PDF codecs in Google Chrome before 17.0.963.56 allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=105803
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14690
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU44272
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3016
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving counter nodes, related to a "read-after-free" issue. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=106336
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://secunia.com/advisories/48016
http://support.apple.com/kb/HT5400
http://support.apple.com/kb/HT5485
http://support.apple.com/kb/HT5503
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14919
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU44273
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3017
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to database handling. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=108695
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14667
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU44274
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3018
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in Google Chrome before 17.0.963.56. A remote attacker can use vectors related to path rendering. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=110172
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14522
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU44275
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3019
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in Google Chrome before 17.0.963.56. A remote attacker can use a crafted Matroska video to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=110849
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14998
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU44276
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3020
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unspecified vulnerability in the Native Client validator implementation in Google Chrome before 17.0.963.56 has unknown impact and remote attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=111575
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14434
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free
EUVDB-ID: #VU44277
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3021
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to subframe loading. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=111779
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
http://secunia.com/advisories/48016
http://support.apple.com/kb/HT5400
http://support.apple.com/kb/HT5485
http://support.apple.com/kb/HT5503
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15020
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU44279
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3023
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to drag-and-drop operations. A user-assisted remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 17.0.963.56.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=112259
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14643
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Certificate Validation
EUVDB-ID: #VU44280
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3024
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service (application crash) via an empty X.509 certificate.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 17.0.963.0 - 17.0.963.55
CPE2.3- cpe:2.3:a:google:google_chrome:17.0.963.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:17.0.963.2:*:*:*:*:*:*:*
http://code.google.com/p/chromium/issues/detail?id=112451
http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
http://secunia.com/advisories/48016
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14891
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
