[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Sun Oct 22 05:21:28 PDT 2017
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 567 Published: Sun, 22 Oct 2017 00:43:31 GMT
New Fixlets:
============
***************************************************************
Title: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page - CVE-2017-5007
Severity: Medium
Fixlet ID: 183602
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1836
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5007
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
***************************************************************
Title: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled object owner relationships - CVE-2017-5006
Severity: Medium
Fixlet ID: 183702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1837
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5006
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled object owner relationships, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
***************************************************************
Title: WebRTC in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to perform proper bounds checking - CVE-2017-5009
Severity: Medium
Fixlet ID: 185202
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1852
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5009
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: WebRTC in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
***************************************************************
Title: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, resolved promises in an inappropriate context - CVE-2017-5010
Severity: Medium
Fixlet ID: 185301
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1853
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5010
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, resolved promises in an inappropriate context, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
***************************************************************
Title: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed attacker controlled JavaScript to be run during the invocation of a private script method - CVE-2017-5008
Severity: Medium
Fixlet ID: 185402
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1854
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5008
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed attacker controlled JavaScript to be run during the invocation of a private script method, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
***************************************************************
Title: Universal XSS in chrome://downloads - CVE-2017-5020
Severity: Medium
Fixlet ID: 185502
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1855
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5020
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to require a user gesture for powerful download operations, which allowed a remote attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted HTML page.
***************************************************************
Title: Use after free in Renderer - CVE-2017-5019
Severity: Medium
Fixlet ID: 185602
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1856
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5019
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
***************************************************************
Title: Bypass of Content Security Policy in Blink - CVE-2017-5022
Severity: Medium
Fixlet ID: 185702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1857
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5022
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to properly enforce unsafe-inline content security policy, which allowed a remote attacker to bypass content security policy via a crafted HTML page.
***************************************************************
Title: Heap overflow in FFmpeg - CVE-2017-5024
Severity: Medium
Fixlet ID: 185801
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1858
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5024
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
***************************************************************
Title: Type confusion in metrics - CVE-2017-5023
Severity: Medium
Fixlet ID: 185901
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1859
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5023
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit a near null dereference via a crafted HTML page.
***************************************************************
Title: Use after free in Extensions - CVE-2017-5021
Severity: Medium
Fixlet ID: 186002
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1860
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5021
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
***************************************************************
Title: Universal XSS in chrome://apps - CVE-2017-5018
Severity: Medium
Fixlet ID: 186202
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1862
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5018
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
***************************************************************
Title: Google Chrome prior to 56.0.2924.76 for Linux incorrectly handled new tab page navigations in non-selected tabs - CVE-2017-5013
Severity: Medium
Fixlet ID: 186301
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1863
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5013
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Linux incorrectly handled new tab page navigations in non-selected tabs, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
***************************************************************
Title: A heap buffer overflow in V8 in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android - CVE-2017-5012
Severity: Medium
Fixlet ID: 186401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1864
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5012
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A heap buffer overflow in V8 in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
***************************************************************
Title: Heap buffer overflow during image processing in Skia in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android - CVE-2017-5014
Severity: Medium
Fixlet ID: 186501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1865
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5014
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Heap buffer overflow during image processing in Skia in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
***************************************************************
Title: Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android - CVE-2017-5015
Severity: Medium
Fixlet ID: 186602
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1866
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5015
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled Unicode glyphs, which allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
***************************************************************
Title: Google Chrome prior to 56.0.2924.76 for Windows insufficiently sanitized DevTools URLs - CVE-2017-5011
Severity: Medium
Fixlet ID: 186701
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1867
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5011
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Windows insufficiently sanitized DevTools URLs, which allowed a remote attacker who convinced a user to install a malicious extension to read filesystem contents via a crafted HTML page.
***************************************************************
Title: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android - CVE-2017-5016
Severity: Medium
Fixlet ID: 186801
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1868
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5016
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a crafted HTML page.
***************************************************************
Title: UI spoofing - CVE-2017-5026
Severity: Medium
Fixlet ID: 188402
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1884
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5026
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to prevent alerts from being displayed by swapped out frames, which allowed a remote attacker to show alerts on a page they don't control via a crafted HTML page.
***************************************************************
Title: Heap overflow in FFmpeg - CVE-2017-5025
Severity: Medium
Fixlet ID: 188502
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1885
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5025
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file.
***************************************************************
Title: URL spoofing in Omnibox - CVE-2017-5067
Severity: <Unspecified>
Fixlet ID: 253501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2535
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5067
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: URL spoofing in Omnibox.
***************************************************************
Title: URL spoofing in Omnibox - CVE-2017-5060
Severity: <Unspecified>
Fixlet ID: 253601
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2536
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5060
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: URL spoofing in Omnibox.
***************************************************************
Title: Type confusion in Blink - CVE-2017-5059
Severity: <Unspecified>
Fixlet ID: 253702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2537
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5059
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Type confusion in Blink.
***************************************************************
Title: Heap use after free in Print Preview - CVE-2017-5058
Severity: <Unspecified>
Fixlet ID: 253901
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2539
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5058
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Heap use after free in Print Preview.
***************************************************************
Title: Type confusion in PDFium - CVE-2017-5057
Severity: <Unspecified>
Fixlet ID: 254001
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2540
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5057
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Type confusion in PDFium
***************************************************************
Title: Use after free in Chrome Apps - CVE-2017-5062
Severity: <Unspecified>
Fixlet ID: 254102
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2541
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5062
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use after free in Chrome Apps.
***************************************************************
Title: URL spoofing in Omnibox - CVE-2017-5061
Severity: <Unspecified>
Fixlet ID: 254401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A2544
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5061
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: URL spoofing in Omnibox.
More information about the WinVulns-Announcements
mailing list