Vulnerabilities in Google Chrome Could Allow Remote Code Execution

ITS Advisory Number: 
2015-117
Date(s) Issued: 
Thursday, October 1, 2015
Subject: 
Vulnerabilities in Google Chrome Could Allow Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Google Chrome, which could result in remote code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of one of these vulnerabilities may allow a remote attacker to obtain sensitive information from an affected system.

Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Google Chrome Prior to 45.0.2454.101
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Twelve vulnerabilities have been discovered in Google Chrome. These vulnerabilities can be triggered by a user visiting a specially crafted web page. Details of these vulnerabilities are as follows:

  • Cross-origin bypass in DOM (CVE-2015-1303)
  • Cross-origin bypass in V8 (CVE-2015-1303)

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information from an affected system. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Apply appropriate patches provided by Google to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.