Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 55 Patches 36 Flaws, Blocks Flash by Default

Google this week released Chrome 55 to resolve 36 security vulnerabilities and to switch the popular Adobe Flash plugin off by default.

Google this week released Chrome 55 to resolve 36 security vulnerabilities and to switch the popular Adobe Flash plugin off by default.

Of the 36 flaws resolved this month, 26 were disclosed by external security researchers and Google paid $70,000 in bug bounty rewards for them. 12 of these security issues were rated High risk, 9 were rated Medium severity and 5 were considered Low risk.

The first High risk bug on the list was a private property access in V8 (CVE-2016-9651) and wasn’t rewarded a cash prize. The following five, however, were rewarded $7500 each: four universal XSS in Blink (CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, and CVE-2016-5208) – three found by Mariusz Mlynski –, and a Same-origin bypass in PDFium (CVE-2016-5206), found by Rob Wu.

Other High risk vulnerabilities patched in Chrome 55 include a use after free in PDFium (CVE-2016-5203), an out of bounds write in Blink (CVE-2016-5209), an out of bounds write in PDFium (CVE-2016-5210), a use after free in PDFium (CVE-2016-5211), a local file disclosure in DevTools (CVE-2016-5212), and a use after free in V8 (CVE-2016-5213).

The Medium and Low severity bugs resolved in chrome this month were affecting components such as PDFium, Omnibox, V8, Blink, ANGLE, SVG, and Webaudio, or the browser’s file download protection. The release of Chrome 55.0.2883.75 for Windows, Mac, and Linux resolves these issues along with those discovered internally, Google’s advisory reveals.

In addition to patching vulnerabilities, Chrome 55 improves user security by blocking websites that contain Flash content out-of-the-box. The deprecation of Flash in Chrome was announced earlier this year, and Google stayed true to its word: HTML5 is the default experience now and users have to manually enable Flash on sites that require it.

As before, however, the highly vulnerable Flash Player will continue to be bundled with Chrome, only that its presence won’t be “advertised by default.” Google also explains that users will have to enable Flash only the first time they visit a site that requires it, and the option will be remembered for subsequent visits.

Starting in Jan. 2017, Google will also remove Flash ads from its advertising platform, after it stopped accepting them on Jun. 30, 2016. Google recommends HTML5 as the go-to plugin for ads and encourages advertisers to switch to it as soon as possible, to avoid disruptions. Amazon too stopped accepting Flash ads last year.

Advertisement. Scroll to continue reading.

Additionally, Chrome 55 resolves an issue where an untrusted error was displayed when visiting websites using some Symantec, GeoTrust, and Thawte SSL/TLS certificates. According to Symantec, there’s still an outstanding issue with Android apps that leverage the WebView version 53, but WebView version 54 and Chrome 55 resolve it.

Other Chrome-based applications and platforms have been already patched, including the Chrome browser for Windows, Mac, and Linux. “All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55,” Symantec says.

Related Reading: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Related Reading: Chrome’s Certificate Transparency to Become Mandatory

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.