Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-122
Date(s) Issued: 
Wednesday, December 5, 2018
Subject: 
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Google Chrome versions prior to 71.0.3578.80
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of these vulnerabilities are as follows:

  • Heap buffer overflow in Blink. (CVE-2018-18341)
  • Heap buffer overflow in Canvas.  (CVE-2018-18338)
  • Heap buffer overflow in Skia. (CVE-2018-18335)
  • Inappropriate implementation in Extensions. (CVE-2018-18344)
  • Inappropriate implementation in Media. (CVE-2018-18352)
  • Inappropriate implementation in Navigation. (CVE-2018-18347)
  • Inappropriate implementation in Network Authentication. (CVE-2018-18353)
  • Inappropriate implementation in Omnibox. (CVE-2018-18348)
  • Inappropriate implementation in Site Isolation. (CVE-2018-18345)
  • Incorrect security UI in Blink. (CVE-2018-18346)
  • Insufficient data validation in Shell Integration. (CVE-2018-18354)
  • Insufficient policy enforcement in Blink. (CVE-2018-18350, CVE-2018-18349)
  • Insufficient policy enforcement in Navigation. (CVE-2018-18351)
  • Insufficient policy enforcement in Proxy. (CVE-2018-18358)
  • Insufficient policy enforcement in URL Formatter. (CVE-2018-18355, CVE-2018-18357)
  • Out of bounds read in V8. (CVE-2018-18359)
  • Out of bounds write in V8. (CVE-2018-18342, CVE-2018-17480)
  • Use after free in Blink. (CVE-2018-18337)
  • Use after free in MediaRecorder. (CVE-2018-18340)
  • Use after free in PDFium. (CVE-2018-18336)
  • Use after free in Skia. (CVE-2018-18343, CVE-2018-18356)
  • Use after free in WebAudio. (CVE-2018-18339)
  • Use after frees in PDFium. (CVE-2018-17481)

Successful exploitation of the most severe of these vulnerabilities could allow for an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately apply stable channel update provided by Google to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
References: 

Google:

https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

CVE: 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17480

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17481

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18335

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18336

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18337

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18341

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18342

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18343

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18344

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18346

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18347

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18348

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18349

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18350

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18351

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18353

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18354

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18355

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18357

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18358

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18359