VulDB: Google Chrome up to 19.0.1084.57 XLS Handler privilege escalation
General
scipID: 5610
Affected: Google Chrome up to 19.0.1084.57
Published: 06/26/2012 (Nicholas Gregoire)
Risk: 
problematic
Entry: 87.8% complete
Created: 06/27/2012
Updated: 09/03/2012
Summary
A vulnerability classified as problematic has been found in Google Chrome up to 19.0.1084.57. Affected is an unknown function of the component XLS Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was published 06/26/2012 by Nicholas Gregoire as 127417. The advisory is shared for download at code.google.com. The public release has been coordinated with the vendor. This vulnerability is traded as CVE-2012-2825 since 05/19/2012. It is possible to launch the attack remotely. The exploitation doesn’t require any form of authentication. The technical details are unknown and an exploit is not available.
Upgrading to version 20.0.1132.43 eliminates this vulnerability. The upgrade is hosted for download at google.com. The problem might be mitigated by replacing the product with Mozilla Firefox, Microsoft Internet Explorer, Opera as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Further details are available at googlechromereleases.blogspot.de.CVSS
Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
| Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
Exploiting
Class: Privilege escalation
Local: No
Remote: Yes
Availability: No
Countermeasures
Recommended: Upgrade
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Upgrade: Chrome 20.0.1132.43
Alternative: Mozilla Firefox, Microsoft Internet Explorer, Opera
Timeline
05/19/2012 | CVE assigned
06/26/2012 | Vendor acknowledged
06/26/2012 | Advisory disclosed
06/26/2012 | Countermeasure disclosed
06/27/2012 | VulDB entry created
09/03/2012 | VulDB entry updated
Sources
Advisory: 127417
Researcher: Nicholas Gregoire
Coordinated: Yes
CVE: CVE-2012-2825 (mitre.org) (nist.org) (cvedetails.com)
Misc.: googlechromereleases.blogspot.de
- Latest Entries
- EMC RSA Authentication API Encryption Key information disclosure
- Cisco Secure Access Control System Web Interface weak authentication
- Python ssl.match_hostname() denial of service
- Mozilla Firefox/Thunderbird nsContentUtils::RemoveScriptBlocker buffer overflow
- Mozilla Firefox/Thunderbird nsFrameList::FirstChild buffer overflow
- Statistics
- Archive
