SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Google Chrome Vendors:   Google
(Apple Issues Fix for iTunes) Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code, Bypass the Pop-up Blocker, Spoof the URL Bar, and Bypass Same Origin Policy
SecurityTracker Alert ID:  1026172
SecurityTracker URL:  http://securitytracker.com/id/1026172
CVE Reference:   CVE-2011-1440, CVE-2011-1449, CVE-2011-1451   (Links to External Site)
Date:  Oct 12 2011
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Google Chrome. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass the pop-up blocker. A remote user can spoof the URL bar. A remote user can bypass same origin policy. Apple iTunes is affected by some of these vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2011-1303, CVE-2011-1305, CVE-2011-1434, CVE-2011-1435, CVE-2011-1436, CVE-2011-1437, CVE-2011-1439, CVE-2011-1440, CVE-2011-1441, CVE-2011-1442, CVE-2011-1443, CVE-2011-1444, CVE-2011-1445, CVE-2011-1447, CVE-2011-1448, CVE-2011-1449, CVE-2011-1450, CVE-2011-1451, CVE-2011-1454, CVE-2011-1455, CVE-2011-1456]. The code will run with the privileges of the target user.

A remote user can bypass the pop-up blocker [CVE-2011-1304].

A remote user can spoof the URL bar [CVE-2011-1446, CVE-2011-1452].

A remote user can bypass same origin policy [CVE-2011-1438].

Scott Hess of the Chromium development community, Martin Barbella, Chamal De Silva, Kostya Serebryany of the Chromium development community, Aki Helin, Cole Snodgrass, miaubiz, kuzzcc, Julien Tinnes of the Google Security Team, Jose A. Vazquez, Michael Griffiths, Sergey Glazunov, wushi of team 509, Dan Rosenberg, Marek Majkowski, Jordi Chancel, and Eric Roman of the Chromium development community reported these vulnerabilities.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass the pop-up blocker.

A remote user can spoof the URL bar.

A remote user can bypass same origin policy.

Solution:   Apple has issued a fix (10.5) for CVE-2011-1440, CVE-2011-1449, and CVE-2011-1451 for iTunes, available from:

http://www.apple.com/itunes/download/

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 1205cda4ce9a32db2fe02cf9f2cf2c0bf7d47bdb

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: ab400ad27a537613b3b5306ea026763a93d57fdf

The vendor's advisory is available at:

http://support.apple.com/kb/HT4981

Vendor URL:  googlechromereleases.blogspot.com/2011/04/chrome-stable-update.html (Links to External Site)
Cause:   Access control error, Boundary error, State error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 28 2011 Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code, Bypass the Pop-up Blocker, Spoof the URL Bar, and Bypass Same Origin Policy



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC