MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-054

DATE(S) ISSUED:
03/25/2016

SUBJECT:
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Google Chrome prior to version 49.0.2623.108
  • Oracle Java SE 8 Update 73 and 74

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities:High
  • Small business entities:Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome. These vulnerabilities can be triggered by a user visiting a specially crafted web page. Details of these vulnerabilities are as follows:

  • An out-of-bounds read vulnerability in V8 (CVE-2016-1646)
  • A use-after-free vulnerability in Navigation (CVE-2016-1647
  • A use-after-free vulnerability in Extensions (CVE-2016-1648)
  • A buffer-overflow vulnerability in libANGLE (CVE-2016-1649)
  • Multiple unspecified vulnerabilities (CVE-2016-1650)
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.

RECOMMENDATIONS:

We recommend the following actions be taken: