CVE-2016-5136, CVE-2016-5137
[º¸¾È´º½º ¹®°¡¿ë] ÇöÁö ½Ã°¢À¸·Î 7¿ù 23ÀÏ, ¿ì¸®³ª¶ó ½Ã°£À¸·Î´Â ´ë·« 23ÀÏ¿¡¼ 24ÀÏ·Î ³Ñ¾î¿À´Â ¹ã »çÀÌ¿¡ ¹Ì±¹ÀÇ National Vulnerability DatabaseÀ» ÅëÇØ ¹ßÇ¥µÈ Ãë¾àÁ¡µéÀÌ´Ù.
1. CVE-2016-5133
±¸±Û Å©·Ò 52.0.2743.82 ÀÌÀü ¹öÀüÀÇ Ãë¾àÁ¡À¸·Î ÇÁ·Ï½Ã ÀÎÁõ °úÁ¤ Áß Á¤º¸ Ãâó¸¦ Á¦´ë·Î ´Ù·çÁö ¾Ê´Â´Ù. À̷νá Áß°£ÀÚ °ø°ÝÀ¸·Î ÇÁ·Ï½Ã ÀÎÁõ °úÁ¤À» ½ºÇªÇÎÇÒ ¼ö ÀÖÀ¸¸ç, Ŭ¶óÀ̾ðÆ®¿Í ¼¹ö °£ µ¥ÀÌÅÍ ½ºÆ®¸²À» Á¶ÀÛÇØ À߸øµÈ Å©¸®µ§¼ÈÀ» ¹ßµ¿½Ãų ¼öµµ ÀÖ´Ù.
2. CVE-2016-5134
±¸±Û Å©·Ò 52.0.2743.82 ÀÌÀü ¹öÀüÀÇ Proxy Auto-Config ±â´ÉÀÇ net/proxy/proxy_service.cc¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î URL Á¤º¸°¡ scheme, host, port¿¡ ¿Ã¹Ù·Î Á¦Çѵǵµ·Ï ÇÏÁö ¾Ê´Â´Ù. ÀÌ·Î½á ¿ø°ÝÀÇ °ø°ÝÀÚµéÀÌ ¼¹ö Å©¸®µ§¼ÈÀ» ÃëµæÇÏ´Â °Ô °¡´ÉÇØÁø´Ù. CVE-2016-3763°ú °ü·ÃÀÌ ÀÖ´Â Ãë¾àÁ¡ÀÌ´Ù.
3. CVE-2016-5135
±¸±Û Å©·Ò 52.0.2743.82 ÀÌÀü ¹öÀüÀÇ BlinkÀÇ WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î preload ¿äû ó¸® ½Ã HTML ¹®¼ ³» referrer-policy Á¤º¸¸¦ Á¦´ë·Î ´Ù·çÁö ¾Ê´Â´Ù. ÀÌ·Î½á ¿ø°ÝÀÇ °ø°ÝÀÚµéÀÌ Content Security Policy º¸È£ ÀåÄ¡¸¦ ¿ìȸÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
4. CVE-2016-5136
±¸±Û Å©·Ò 52.0.2743.82 ÀÌÀü ¹öÀüÀÇ Extensions ¼ºê½Ã½ºÅÛÀÇ extensions/renderer/user_script_injector.ccÀÇ UaF Ãë¾àÁ¡À¸·Î ¿ø°ÝÀÇ °ø°ÝÀÚ°¡ CoS °ø°ÝÀ» °¨ÇàÇÒ ¼ö ÀÖ°Ô ÇØÁØ´Ù.
5. CVE-2016-5137
±¸±Û Å©·Ò 52.0.2743.82 ÀÌÀü ¹öÀüÀÇ BlinkÀÇ Contents Security PolicyÀÇ WebKit/Source/core/frame/csp/CSPSource.cppÀÇ CSPSource::schemeMatches ÇÔ¼ö¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î http:80 Á¤Ã¥À» http:443 URLµé¿¡ Àû¿ëÇÏÁö ¾Ê°í, ws:80 Á¤Ã¥À» wss:443 URLµé¿¡ Àû¿ëÇÏÁö ¾Ê´Â´Ù. ÀÌ·Î½á °ø°ÝÀÚµéÀÌ Æ¯Á¤ HSTS À¥ »çÀÌÆ®°¡ ¹æ¹®µÇ¾ú´ÂÁö ¾Æ´ÑÁö ½±°Ô ÆǺ°ÇÒ ¼ö ÀÖ°Ô µÈ´Ù. CVE-2016-1617°ú °ü·ÃÀÌ ÀÖ´Â Ãë¾àÁ¡ÀÌ´Ù.
[±¹Á¦ºÎ ¹®°¡¿ë ±âÀÚ(globoan@boannews.com)]
<ÀúÀÛ±ÇÀÚ: º¸¾È´º½º(www.boannews.com) ¹«´ÜÀüÀç-Àç¹èÆ÷±ÝÁö>