Vulnerabilities in Google Chrome Could Allow Remote Code Execution

ITS Advisory Number: 
2013-112
Date(s) Issued: 
Friday, November 15, 2013
Subject: 
Vulnerabilities in Google Chrome Could Allow Remote Code Execution
Overview: 

Vulnerabilities have been discovered in Google Chrome that could allow remote code execution or cause denial-of-service conditions. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Google Chrome Prior to 31.0.1650.57
  • Google Chrome on Android Devices Prior to 31.0.1650.59
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Vulnerabilities have been discovered in Google Chrome. Details of the vulnerabilities are as follows:

Successful exploitation could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.

Actions: 
  • Update vulnerable Google Chrome products immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
References: 
Google:
http://googlechromereleases.blogspot.com/2013/11/stable-channel-update_14.html
HP:
http://www.hppwn2own.com/chrome-nexus-4-samsung-galaxy-s4-falls/
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6632
Security Focus:
http://www.securityfocus.com/bid/63729