Google patched its Chrome browser this week, fixing 12 vulnerabilities, including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code.
French security researcher Antoine Delignat-Lavaud discovered the information disclosure problem (CVE-2014-3166) in SPDY, an open networking protocol that transports web content. According to the National Vulnerability Database, the Public Key Pinning (PKP) implementation in the browser on Windows, OS X, Linux and Android fails to consider the SPDY handler. This could allow attackers to obtain sensitive information by leveraging the use of multiple domain names.
While technical details or a public exploit for the vulnerability haven’t been disclosed yet, if they wanted to, attackers looking to leverage the bug to impersonate universal servers could execute it remotely and without any form of authentication.
In a mailing list for the Transport Layer Security working group of the IETF Delignat-Lavaud claims the feature “has been buggy in Chrome for the past two years.”
“I didn’t talk about it at Black Hat because the fix is not yet deployed,” Delignat-Lavaud said, adding “I’m fairly sure that if there had been more discussion, such an ugly bug could have been averted.”
Delignat-Lavaud has discovered multiple vulnerabilities in Chrome before, including a man-in-the-middle attack against HTTP in SSL, and an issue with certificates not being checked during TLS renegotiation.
Earlier this year Delignat-Lavaud, along with two other researchers demonstrated how they could force a client running TLS to connect to an attacker-controlled server with an authenticated credential. The attacks, known as Triple Handshake attacks, made short work of four different TLS weaknesses, including one in RSA’s infrastructure and the Diffie-Hellman Exchange.
A separate but also high concern issue in Chrome for Windows, Mac and Linux, stemmed from a use-after-free memory vulnerability in web sockets and was also fixed this week, in addition to the usual batch of fixes from internal audits and fuzzing.
Versions of Chrome before 36.0.1985.122 remain vulnerable until patched. Those users can download the latest stable version, 36.0.1985.143, which comes with a Flash Player update.