Vulnerabilities > CVE-2014-3803 - Information Exposure vulnerability in Google Chrome

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The SpeechInput feature in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to enable microphone access and obtain speech-recognition text without indication via an INPUT element with a -x-webkit-speech attribute.

Vulnerable Configurations

Part Description Count
Application
Google
3635

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWindows
    NASL idOPERA_2200.NASL
    descriptionThe version of Opera installed on the remote host is prior to version 22. It is, therefore, reportedly affected by multiple vulnerabilities in the bundled version of Chromium : - Use-after-free errors exist related to
    last seen2020-06-01
    modified2020-06-02
    plugin id74362
    published2014-06-06
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74362
    titleOpera < 22 Multiple Chromium Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74362);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id(
        "CVE-2014-1743",
        "CVE-2014-1744",
        "CVE-2014-1745",
        "CVE-2014-1746",
        "CVE-2014-1747",
        "CVE-2014-1748",
        "CVE-2014-1749",
        "CVE-2014-3152",
        "CVE-2014-3803"
      );
      script_bugtraq_id(67237, 67517, 67582);
    
      script_name(english:"Opera < 22 Multiple Chromium Vulnerabilities");
      script_summary(english:"Checks version number of Opera.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web browser that is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Opera installed on the remote host is prior to version
    22. It is, therefore, reportedly affected by multiple vulnerabilities
    in the bundled version of Chromium :
    
      - Use-after-free errors exist related to 'styles' and
        'SVG' handling. (CVE-2014-1743, CVE-2014-1745)
    
      - An integer overflow error exists related to audio
        handling. (CVE-2014-1744)
    
      - An out-of-bounds read error exists related to media
        filters. (CVE-2014-1746)
    
      - A user-input validation error exists related to
        handling local MHTML files that could allow
        for universal cross-site scripting (UXSS) attacks.
        (CVE-2014-1747)
    
      - An unspecified error exists related to the scrollbar
        that could allow UI spoofing. (CVE-2014-1748)
    
      - Various unspecified errors. (CVE-2014-1749)
    
      - An integer underflow error exists related to the V8
        JavaScript engine that could allow a denial of service
        condition. (CVE-2014-3152)
    
      - An error exists related to the 'Blick' 'SpeechInput'
        feature that could allow click-jacking and information
        disclosure. (CVE-2014-3803)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://blogs.opera.com/desktop/changelog22/");
      # http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2da726ba");
      script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20170922104144/http://www.opera.com:80/docs/changelogs/unified/2200/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Opera 22 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3152");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/06");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("opera_installed.nasl");
      script_require_keys("SMB/Opera/Version", "SMB/Opera/Path");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("SMB/Opera/Version");
    path    = get_kb_item_or_exit("SMB/Opera/Path");
    
    version_ui = get_kb_item("SMB/Opera/Version_UI");
    if (isnull(version_ui)) version_report = version;
    else version_report = version_ui;
    
    if (get_kb_item("SMB/Opera/supported_classic_branch")) audit(AUDIT_INST_PATH_NOT_VULN, "Opera", version_report, path);
    
    fixed_version = "22.0.1471.50";
    
    # Check if we need to display full version info in case of Alpha/Beta/RC
    major_minor = eregmatch(string:version, pattern:"^([0-9]+\.[0-9]+)");
    if (major_minor[1] == "22.0")
    {
      fixed_version_report = fixed_version;
      version_report = version;
    }
    else fixed_version_report = "22.0";
    
    if (ver_compare(ver:version, fix:fixed_version) == -1)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
    
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + version_report +
          '\n  Fixed version     : ' + fixed_version_report +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, "Opera", version_report, path);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2298-1.NASL
    descriptionA type confusion bug was discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-1730) A type confusion bug was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-1731) Multiple security issues including memory safety bugs were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-1735, CVE-2014-3162) Multiple use-after-free issues were discovered in the WebSockets implementation. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-1740) Multiple integer overflows were discovered in CharacterData implementation. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-1741) Multiple use-after-free issues were discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-1742, CVE-2014-1743) An integer overflow bug was discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-1744) An out-of-bounds read was discovered in Chromium. If a user were tricked in to opening a specially crafter website, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2014-1746) It was discovered that Blink allowed scrollbar painting to extend in to the parent frame in some circumstances. An attacker could potentially exploit this to conduct clickjacking attacks via UI redress. (CVE-2014-1748) An integer underflow was discovered in Blink. If a user were tricked in to opening a specially crafter website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-3152) A use-after-free was discovered in Chromium. If a use were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-3154) A security issue was discovered in the SPDY implementation. An attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-3155) A heap overflow was discovered in Chromium. If a use were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2014-3157) It was discovered that Blink did not enforce security rules for subresource loading in SVG images. If a user opened a site that embedded a specially crafted image, an attacker could exploit this to log page views. (CVE-2014-3160) It was discovered that the SpeechInput feature in Blink could be activated without consent or any visible indication. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to eavesdrop on the user. (CVE-2014-3803). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id76756
    published2014-07-24
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76756
    titleUbuntu 14.04 LTS : oxide-qt vulnerabilities (USN-2298-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2298-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76756);
      script_version("1.14");
      script_cvs_date("Date: 2019/09/19 12:54:30");
    
      script_cve_id("CVE-2014-1730", "CVE-2014-1731", "CVE-2014-1735", "CVE-2014-1740", "CVE-2014-1741", "CVE-2014-1742", "CVE-2014-1743", "CVE-2014-1744", "CVE-2014-1746", "CVE-2014-1748", "CVE-2014-3152", "CVE-2014-3154", "CVE-2014-3155", "CVE-2014-3157", "CVE-2014-3160", "CVE-2014-3162", "CVE-2014-3803");
      script_bugtraq_id(67082, 67374, 67375, 67376, 67517, 67572, 67582, 67972, 67977, 67980, 68677);
      script_xref(name:"USN", value:"2298-1");
    
      script_name(english:"Ubuntu 14.04 LTS : oxide-qt vulnerabilities (USN-2298-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A type confusion bug was discovered in V8. If a user were tricked in
    to opening a specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via renderer crash, or
    execute arbitrary code with the privileges of the sandboxed render
    process. (CVE-2014-1730)
    
    A type confusion bug was discovered in Blink. If a user were tricked
    in to opening a specially crafted website, an attacker could
    potentially exploit this to cause a denial of service via renderer
    crash, or execute arbitrary code with the privileges of the sandboxed
    render process. (CVE-2014-1731)
    
    Multiple security issues including memory safety bugs were discovered
    in Chromium. If a user were tricked in to opening a specially crafted
    website, an attacker could potentially exploit these to cause a denial
    of service via application crash or execute arbitrary code with the
    privileges of the user invoking the program. (CVE-2014-1735,
    CVE-2014-3162)
    
    Multiple use-after-free issues were discovered in the WebSockets
    implementation. If a user were tricked in to opening a specially
    crafted website, an attacker could potentially exploit these to cause
    a denial of service via application crash or execute arbitrary code
    with the privileges of the user invoking the program. (CVE-2014-1740)
    
    Multiple integer overflows were discovered in CharacterData
    implementation. If a user were tricked in to opening a specially
    crafted website, an attacker could potentially exploit these to cause
    a denial of service via renderer crash or execute arbitrary code with
    the privileges of the sandboxed render process. (CVE-2014-1741)
    
    Multiple use-after-free issues were discovered in Blink. If a user
    were tricked in to opening a specially crafted website, an attacker
    could potentially exploit these to cause a denial of service via
    renderer crash or execute arbitrary code with the privileges of the
    sandboxed render process. (CVE-2014-1742, CVE-2014-1743)
    
    An integer overflow bug was discovered in Chromium. If a user were
    tricked in to opening a specially crafted website, an attacker could
    potentially exploit this to cause a denial of service via application
    crash or execute arbitrary code with the privileges of the user
    invoking the program. (CVE-2014-1744)
    
    An out-of-bounds read was discovered in Chromium. If a user were
    tricked in to opening a specially crafter website, an attacker could
    potentially exploit this to cause a denial of service via application
    crash. (CVE-2014-1746)
    
    It was discovered that Blink allowed scrollbar painting to extend in
    to the parent frame in some circumstances. An attacker could
    potentially exploit this to conduct clickjacking attacks via UI
    redress. (CVE-2014-1748)
    
    An integer underflow was discovered in Blink. If a user were tricked
    in to opening a specially crafter website, an attacker could
    potentially exploit this to cause a denial of service via renderer
    crash or execute arbitrary code with the privileges of the sandboxed
    render process. (CVE-2014-3152)
    
    A use-after-free was discovered in Chromium. If a use were tricked in
    to opening a specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via renderer crash or
    execute arbitrary code with the privileges of the sandboxed render
    process. (CVE-2014-3154)
    
    A security issue was discovered in the SPDY implementation. An
    attacker could potentially exploit this to cause a denial of service
    via application crash or execute arbitrary code with the privileges of
    the user invoking the program. (CVE-2014-3155)
    
    A heap overflow was discovered in Chromium. If a use were tricked in
    to opening a specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via renderer crash or
    execute arbitrary code with the privileges of the sandboxed render
    process. (CVE-2014-3157)
    
    It was discovered that Blink did not enforce security rules for
    subresource loading in SVG images. If a user opened a site that
    embedded a specially crafted image, an attacker could exploit this to
    log page views. (CVE-2014-3160)
    
    It was discovered that the SpeechInput feature in Blink could be
    activated without consent or any visible indication. If a user were
    tricked in to opening a specially crafted website, an attacker could
    exploit this to eavesdrop on the user. (CVE-2014-3803).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2298-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected liboxideqtcore0, oxideqt-codecs and / or
    oxideqt-codecs-extra packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:liboxideqtcore0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:oxideqt-codecs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:oxideqt-codecs-extra");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"liboxideqtcore0", pkgver:"1.0.4-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"oxideqt-codecs", pkgver:"1.0.4-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"oxideqt-codecs-extra", pkgver:"1.0.4-0ubuntu0.14.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "liboxideqtcore0 / oxideqt-codecs / oxideqt-codecs-extra");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_35_0_1916_114.NASL
    descriptionThe version of Google Chrome installed on the remote Mac OS X host is a version prior to 35.0.1916.114. It is, therefore, affected by the following vulnerabilities : - Use-after-free errors exist related to
    last seen2020-06-01
    modified2020-06-02
    plugin id74123
    published2014-05-21
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74123
    titleGoogle Chrome < 35.0.1916.114 Multiple Vulnerabilities (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74123);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id(
        "CVE-2014-1743",
        "CVE-2014-1744",
        "CVE-2014-1745",
        "CVE-2014-1746",
        "CVE-2014-1747",
        "CVE-2014-1748",
        "CVE-2014-1749",
        "CVE-2014-3152",
        "CVE-2014-3803"
      );
      script_bugtraq_id(67517, 67582);
    
      script_name(english:"Google Chrome < 35.0.1916.114 Multiple Vulnerabilities (Mac OS X)");
      script_summary(english:"Checks version number of Google Chrome.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Mac OS X host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Google Chrome installed on the remote Mac OS X host is
    a version prior to 35.0.1916.114. It is, therefore, affected by the
    following vulnerabilities :
    
      - Use-after-free errors exist related to 'styles' and
        'SVG' handling. (CVE-2014-1743, CVE-2014-1745)
    
      - An integer overflow error exists related to audio
        handling. (CVE-2014-1744)
    
      - An out-of-bounds read error exists related to media
        filters. (CVE-2014-1746)
    
      - A user-input validation error exists related to
        handling local MHTML files. (CVE-2014-1747)
    
      - An unspecified error exists related to the scrollbar
        that could allow UI spoofing. (CVE-2014-1748)
    
      - Various unspecified errors. (CVE-2014-1749)
    
      - An integer underflow error exists related to the V8
        JavaScript engine. (CVE-2014-3152)
    
      - An error exists related to the 'Blink' 'SpeechInput'
        feature that could allow click-jacking and information
        disclosure. (CVE-2014-3803)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2da726ba");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Google Chrome 35.0.1916.114 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3152");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:google:chrome");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_google_chrome_installed.nbin");
      script_require_keys("MacOSX/Google Chrome/Installed");
    
      exit(0);
    }
    
    include("google_chrome_version.inc");
    
    get_kb_item_or_exit("MacOSX/Google Chrome/Installed");
    
    google_chrome_check_version(fix:'35.0.1916.114', severity:SECURITY_HOLE, xss:TRUE);
    
  • NASL familyWindows
    NASL idGOOGLE_CHROME_35_0_1916_114.NASL
    descriptionThe version of Google Chrome installed on the remote host is a version prior to 35.0.1916.114. It is, therefore, affected by the following vulnerabilities : - Use-after-free errors exist related to
    last seen2020-06-01
    modified2020-06-02
    plugin id74122
    published2014-05-21
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74122
    titleGoogle Chrome < 35.0.1916.114 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74122);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id(
        "CVE-2014-1743",
        "CVE-2014-1744",
        "CVE-2014-1745",
        "CVE-2014-1746",
        "CVE-2014-1747",
        "CVE-2014-1748",
        "CVE-2014-1749",
        "CVE-2014-3152",
        "CVE-2014-3803"
      );
      script_bugtraq_id(67517, 67582);
    
      script_name(english:"Google Chrome < 35.0.1916.114 Multiple Vulnerabilities");
      script_summary(english:"Checks version number of Google Chrome.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web browser that is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Google Chrome installed on the remote host is a version
    prior to 35.0.1916.114. It is, therefore, affected by the following
    vulnerabilities :
    
      - Use-after-free errors exist related to 'styles' and
        'SVG' handling. (CVE-2014-1743, CVE-2014-1745)
    
      - An integer overflow error exists related to audio
        handling. (CVE-2014-1744)
    
      - An out-of-bounds read error exists related to media
        filters. (CVE-2014-1746)
    
      - A user-input validation error exists related to
        handling local MHTML files. (CVE-2014-1747)
    
      - An unspecified error exists related to the scrollbar
        that could allow UI spoofing. (CVE-2014-1748)
    
      - Various unspecified errors. (CVE-2014-1749)
    
      - An integer underflow error exists related to the V8
        JavaScript engine. (CVE-2014-3152)
    
      - An error exists related to the 'Blick' 'SpeechInput'
        feature that could allow click-jacking and information
        disclosure. (CVE-2014-3803)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2da726ba");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Google Chrome 35.0.1916.114 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3152");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:google:chrome");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("google_chrome_installed.nasl");
      script_require_keys("SMB/Google_Chrome/Installed");
    
      exit(0);
    }
    
    include("google_chrome_version.inc");
    
    get_kb_item_or_exit("SMB/Google_Chrome/Installed");
    installs = get_kb_list("SMB/Google_Chrome/*");
    
    google_chrome_check_version(installs:installs, fix:'35.0.1916.114', severity:SECURITY_HOLE, xss:TRUE);