Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - WebKit: Improper handling of data types from event objects (CVE-2010-4205)

  - webkitgtk: heap-based buffer overflow (WSA-2015-0001) (CVE-2014-1303)

  - Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and     Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a     denial of service (application crash) via vectors involving HTML document subtrees. (CVE-2010-1761)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - webkitgtk: heap-based buffer overflow (WSA-2015-0001) (CVE-2014-1303)

  - webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-40414)

  - Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allows remote attackers to cause a     denial of service or possibly have unspecified other impact via vectors related to the handling of input.
    (CVE-2013-2871)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The version of Apple iTunes running on the remote host is prior to 12.2. It is, therefore, affected by multiple vulnerabilities due to memory corruption issues in the WebKit component. An attacker can exploit these to cause a denial of service or execute arbitrary code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apple iTunes installed on the remote Windows host is prior to 12.2. It is, therefore, affected by multiple vulnerabilities in the bundled version of WebKit, including denial of service and arbitrary code execution vulnerabilities.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the remote Apple TV device is a version prior to 7.0.3. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist, related to the     included version of WebKit, that allow application     crashes or arbitrary code execution. (CVE-2014-3192,     CVE-2014-4459, CVE-2014-4466, CVE-2014-4468,     CVE-2014-4469, CVE-2014-4470, CVE-2014-4471,     CVE-2014-4472, CVE-2014-4473, CVE-2014-4474,     CVE-2014-4475, CVE-2014-4476, CVE-2014-4477,     CVE-2014-4479)

  - A state management issue exists due to improperly     handling overlapping segments in Mach-O executable     files. A local user can exploit this issue to execute     unsigned code. (CVE-2014-4455)

  - A security bypass issue exists due to improper     validation of SVG files loaded in an IMG element. An     attacker can load a CSS of cross-origin resulting in     information disclosure. (CVE-2014-4465)

  - An issue exists due to the symbolic linking performed     by the 'afc' command which allows an attacker to     access arbitrary files on the system. (CVE-2014-4480)

  - An integer overflow issue exists due to improper bounds     checking when processing PDF files. (CVE-2014-4481)

  - A buffer overflow issue exists due to improper bounds     checking when processing fonts in PDF files.
    (CVE-2014-4483)

  - A memory corruption issue exists due to improper bounds     checking when processing '.dfont' files.
    (CVE-2014-4484)

  - A buffer overflow issue exists due to improper bounds     checking when processing XML files. (CVE-2014-4485)

  - A null pointer dereference issue exists due to the     handling of resource lists in the IOAcceleratorFamily     kernel extension. (CVE-2014-4486)

  - A buffer overflow issue exists due to improper size     validation in the IOHIDFamily. (CVE-2014-4487)

  - A validation issue exists due to the handling of     resource queue metadata in the IOHIDFamily kernel     extension. (CVE-2014-4488)

  - A null pointer dereference issue exists due to the     handling of event queues in the IOHIDFamily kernel     extension. (CVE-2014-4489)

  - An information disclosure issue exists due to the     handling of APIs related to kernel extensions in which     kernel addresses may be revealed. An attacker can     leverage this to bypass ASLR protections.
    (CVE-2014-4491)

  - Multiple type confusion issues exists due to improper     type checking during interprocess communication in the     network daemon (networkd). (CVE-2014-4492)

  - An issue exists due to improper checking of shared     memory permissions in the kernel shared memory     subsystem. (CVE-2014-4495)

  - An information disclosure issue exists due to     mach_port_kobject kernel interface leaking kernel     addresses and heap permutation values. An attacker can     leverage this to bypass ASLR protections.
    (CVE-2014-4496)

Note that arbitrary code execution is possible with the above issues assigned CVE-2014-4481 through CVE-2014-4489, CVE-2014-4492, and CVE-2014-4495.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components :

  - bash
  - Bluetooth
  - CFNetwork Cache
  - CommerceKit Framework
  - CoreGraphics
  - CoreSymbolication
  - CPU Software
  - FontParser
  - Foundation
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOUSBFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - LoginWindow
  - lukemftp
  - OpenSSL
  - Safari
  - SceneKit
  - Security
  - security_taskgate
  - Spotlight
  - SpotlightIndex
  - sysmond
  - UserAccountUpdater

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The version of Apple Safari installed on the remote Mac OS X host is prior to 6.2.3 / 7.1.3 / 8.0.3. It is, therefore, affected by multiple memory corruption issues in WebKit. A remote attacker, using a specially crafted website, can exploit these to execute arbitrary code.

The mobile device is running a version of iOS prior to version 8.1.3.
It is, therefore, affected by vulnerabilities in the following components :

  - AppleFileConduit
  - CoreGraphics
  - dyld
  - FontParser
  - Foundation
  - IOAcceleratorFamily
  - IOHIDFamily
  - iTunes Store
  - Kernel
  - libnetcore
  - MobileInstallation
  - Springboard
  - WebKit

The remote host is affected by the vulnerability described in GLSA-201412-13 (Chromium: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Chromium. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

- Update to Chromium 38.0.2125.101 This update includes     159 security fixes, including 113 relatively minor     fixes. Highlighted securtiy fixes are: CVE-2014-3188: A     combination of V8 and IPC bugs that can lead to remote     code execution outside of the sandbox CVE-2014-3189:
    Out-of-bounds read in PDFium CVE-2014-3190:
    Use-after-free in Events CVE-2014-3191: Use-after-free     in Rendering CVE-2014-3192: Use-after-free in DOM     CVE-2014-3193: Type confusion in Session Management     CVE-2014-3194: Use-after-free in Web Workers     CVE-2014-3195: Information Leak in V8 CVE-2014-3196:
    Permissions bypass in Windows Sandbox CVE-2014-3197:
    Information Leak in XSS Auditor CVE-2014-3198:
    Out-of-bounds read in PDFium CVE-2014-3199: Release     Assert in V8 bindings CVE-2014-3200: Various fixes from     internal audits, fuzzing and other initiatives

  - Drop the build of the Native Client. This is actually     not a build as that prebuild binaries are being shipped.
    Also Google no longer provides prebuild binaries for the     NativeClient for 32bit. Chromium as webbrowser is not     affected by this and it bring Chromium inline with the     regulations that prebuild binaries should not be     shipped.

  - toolchaing_linux tarball dropped

  - Spec-file cleaned for NaCl stuff

  - Added patch no-clang-on-packman.diff to prevent the     usage of clang on packman, which is not supported there

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2345-1 advisory.

    Multiple use-after-free issues were discovered in Blink. If a user were tricked in to opening a specially     crafted website, an attacker could potentially exploit these to cause a denial of service via renderer     crash, or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-3178,     CVE-2014-3190, CVE-2014-3191, CVE-2014-3192)

    Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially     crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial     of service via application crash or execute arbitrary code with the privileges of the user invoking the     program. (CVE-2014-3179, CVE-2014-3200)

    It was discovered that Chromium did not properly handle the interaction of IPC and V8. If a user were     tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute     arbitrary code with the privileges of the user invoking the program. (CVE-2014-3188)

    A use-after-free was discovered in the web workers implementation in Chromium. If a user were tricked in     to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of     service via applicatin crash or execute arbitrary code with the privileges of the user invoking the     program. (CVE-2014-3194)

    It was discovered that V8 did not correctly handle Javascript heap allocations in some circumstances. If a     user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to     steal sensitive information. (CVE-2014-3195)

    It was discovered that Blink did not properly provide substitute data for pages blocked by the XSS     auditor. If a user were tricked in to opening a specially crafter website, an attacker could potentially     exploit this to steal sensitive information. (CVE-2014-3197)

    It was discovered that the wrap function for Event's in the V8 bindings in Blink produced an erroneous     result in some circumstances. If a user were tricked in to opening a specially crafted website, an     attacker could potentially exploit this to cause a denial of service by stopping a worker process that was     handling an Event object. (CVE-2014-3199)

    Multiple security issues were discovered in V8. If a user were tricked in to opening a specially crafted     website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of     service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process.
    (CVE-2014-7967)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromium. (CVE-2014-3188, CVE-2014-3189, CVE-2014-3190, CVE-2014-3191, CVE-2014-3192, CVE-2014-3193, CVE-2014-3194, CVE-2014-3199, CVE-2014-3200)

Several information leak flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to disclose potentially sensitive information.
(CVE-2014-3195, CVE-2014-3197, CVE-2014-3198)

All Chromium users should upgrade to these updated packages, which contain Chromium version 38.0.2125.101, which corrects these issues.
After installing the update, Chromium must be restarted for the changes to take effect.

Google Chrome Releases reports :

159 security fixes in this release, including 113 found using MemorySanitizer :

- [416449] Critical CVE-2014-3188: A special thanks to Juri Aedla for a combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox.

- [398384] High CVE-2014-3189: Out-of-bounds read in PDFium. Credit to cloudfuzzer.

- [400476] High CVE-2014-3190: Use-after-free in Events. Credit to cloudfuzzer.

- [402407] High CVE-2014-3191: Use-after-free in Rendering. Credit to cloudfuzzer.

- [403276] High CVE-2014-3192: Use-after-free in DOM. Credit to cloudfuzzer.

- [399655] High CVE-2014-3193: Type confusion in Session Management.
Credit to miaubiz.

- [401115] High CVE-2014-3194: Use-after-free in Web Workers. Credit to Collin Payne.

- [403409] Medium CVE-2014-3195: Information Leak in V8. Credit to Juri Aedla.

- [338538] Medium CVE-2014-3196: Permissions bypass in Windows Sandbox. Credit to James Forshaw.

- [396544] Medium CVE-2014-3197: Information Leak in XSS Auditor.
Credit to Takeshi Terada.

- [415307] Medium CVE-2014-3198: Out-of-bounds read in PDFium. Credit to Atte Kettunen of OUSPG.

- [395411] Low CVE-2014-3199: Release Assert in V8 bindings. Credit to Collin Payne.

- [420899] CVE-2014-3200: Various fixes from internal audits, fuzzing and other initiatives (Chrome 38).

- Multiple vulnerabilities in V8 fixed at the tip of the 3.28 branch (currently 3.28.71.15).

The version of Google Chrome installed on the remote Mac OS X host is a version prior to 37.0.2062.94. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in V8 and IPC that can lead to remote code     execution. (CVE-2014-3188)

  - Out-of-bounds read errors exist in PDFium.
    (CVE-2014-3189, CVE-2014-3198)

  - Use-after-free errors exist in Events, Rendering, DOM,     and Web Workers. (CVE-2014-3190, CVE-2014-3191,     CVE-2014-3192, CVE-2014-3194)

  - A type confusion error exists in Session Management.
    (CVE-2014-3193)

  - Information leak vulnerabilities exist in the V8     JavaScript engine and the XSS Auditor.
    (CVE-2014-3195, CVE-2014-3197)

  - A security bypass vulnerability exists in the Windows     Sandbox. (CVE-2014-3196)

  - An error exists related to assertion of bindings in     the V8 JavaScript engine. (CVE-2014-3199)

  - Multiple unspecified vulnerabilities exist.
    (CVE-2014-3200)

The version of Google Chrome installed on the remote host is a version prior to 37.0.2062.94. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in V8 and IPC that can lead to remote code     execution. (CVE-2014-3188)

  - Out-of-bounds read errors exist in PDFium.
    (CVE-2014-3189, CVE-2014-3198)

  - Use-after-free errors exist in Events, Rendering, DOM,     and Web Workers. (CVE-2014-3190, CVE-2014-3191,     CVE-2014-3192, CVE-2014-3194)

  - A type confusion error exists in Session Management.
    (CVE-2014-3193)

  - Information leak vulnerabilities exist in the V8     JavaScript engine and the XSS Auditor.
    (CVE-2014-3195, CVE-2014-3197)

  - A security bypass vulnerability exists in the Windows     Sandbox. (CVE-2014-3196)

  - An error exists related to assertion of bindings in     the V8 JavaScript engine. (CVE-2014-3199)

  - Multiple unspecified vulnerabilities exist.
    (CVE-2014-3200)

  - Multiple vulnerabilities in V8 exist.

ID	Name	Product	Family	Severity
199473	RHEL 6 : webkitgtk (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199451	RHEL 7 : webkitgtk (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
86600	Apple iTunes < 12.2 Multiple Vulnerabilities (uncredentialed check)	Nessus	Peer-To-Peer File Sharing	high
84504	Apple iTunes < 12.2 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	high
81145	Apple TV < 7.0.3 Multiple Vulnerabilities	Nessus	Misc.	critical
81087	Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)	Nessus	MacOS X Local Security Checks	critical
81051	Mac OS X : Apple Safari < 6.2.3 / 7.1.3 / 8.0.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
81050	Apple iOS < 8.1.3 Multiple Vulnerabilities	Nessus	Mobile Devices	critical
79966	GLSA-201412-13 : Chromium: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
79267	openSUSE Security Update : chromium (openSUSE-SU-2014:1378-1)	Nessus	SuSE Local Security Checks	critical
78465	Ubuntu 14.04 LTS : Oxide vulnerabilities (USN-2345-1)	Nessus	Ubuntu Local Security Checks	high
78415	RHEL 6 : chromium-browser (RHSA-2014:1626)	Nessus	Red Hat Local Security Checks	critical
78104	FreeBSD : chromium -- multiple vulnerabilities (d2bbcc01-4ec3-11e4-ab3f-00262d5ed8ee)	Nessus	FreeBSD Local Security Checks	critical
78081	Google Chrome < 38.0.2125.101 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	critical
78080	Google Chrome < 38.0.2125.101 Multiple Vulnerabilities	Nessus	Windows	critical

Detections

Analytics

CVE-2014-3192

high

Tenable Plugins

critical

critical

high

high

critical

critical

high

critical

critical

critical

high

critical

critical

critical

critical