=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN379
_____________________________________________________________________

DATE                      : 16/09/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Google Chrome.

======================================================================
http://googlechromereleases.blogspot.com/2009/09/stable-channel-update.html
______________________________________________________________________

Stable Channel Update

Tuesday, September 15, 2009 | 09:59

Labels: Stable updates




3.0.195.21 has graduated from Beta to the Stable channel today.

This release includes themes support, a brand new New Tab page, an updated
omnibox, support for audio and video tags, and a higher performing V8 engine.

You can read more about it here.

Anthony Laforge
Google Chrome Program Manager

Security Fixes:

We would like to extend special thanks to Will Dormann of CERT for
working with us to improve the security of the new audio and video
codecs in this release.

CVE-2009-XXXX  Content-Type: application/rss+xml being rendered as
active content

Previously, we rendered RSS and Atom feeds as XML.  Because most other
browsers render these documents with dedicated feed previewers, some
web sites do not sanitize their feeds for active content, such as
JavaScript.  In these cases, an attacker might be able to inject
JavaScript into a target web site.

More info: http://code.google.com/p/chromium/issues/detail?id=21238
(This issue will be made public once a majority of users are up to
date with the fix.)

Severity: Medium.  Most web sites are not affected because they do
not include untrusted content in RSS or Atom feeds.

Credit: Inferno of SecureThoughts.com


Mitigations:

    * A victim would need to visit a page under an attacker's control.
    * The target web site would need to let the attacker inject
JavaScript into an RSS or an Atom feed.


CVE-2009-XXXX  Same Origin Policy Bypass via getSVGDocument() method

The getSVGDocument method was lacking an access check, resulting in a
cross-origin JavaScript capability leak.  A malicious web site operator
could use the leaked capability to inject JavaScript into a target
web site hosting an SVG document, bypassing the same-origin policy.

More info: http://code.google.com/p/chromium/issues/detail?id=21338
(This issue will be made public once a majority of users are up to
date with the fix.)

Severity: High

Credit: Isaac Dawson


Mitigations:

    * A victim would need to visit a page under an attacker's control.
    * The target web site would need to host an SVG document.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================