Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 55 Patches 36 Flaws, Blocks Flash by Default

Google this week released Chrome 55 to resolve 36 security vulnerabilities and to switch the popular Adobe Flash plugin off by default.

Google this week released Chrome 55 to resolve 36 security vulnerabilities and to switch the popular Adobe Flash plugin off by default.

Of the 36 flaws resolved this month, 26 were disclosed by external security researchers and Google paid $70,000 in bug bounty rewards for them. 12 of these security issues were rated High risk, 9 were rated Medium severity and 5 were considered Low risk.

The first High risk bug on the list was a private property access in V8 (CVE-2016-9651) and wasn’t rewarded a cash prize. The following five, however, were rewarded $7500 each: four universal XSS in Blink (CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, and CVE-2016-5208) – three found by Mariusz Mlynski –, and a Same-origin bypass in PDFium (CVE-2016-5206), found by Rob Wu.

Other High risk vulnerabilities patched in Chrome 55 include a use after free in PDFium (CVE-2016-5203), an out of bounds write in Blink (CVE-2016-5209), an out of bounds write in PDFium (CVE-2016-5210), a use after free in PDFium (CVE-2016-5211), a local file disclosure in DevTools (CVE-2016-5212), and a use after free in V8 (CVE-2016-5213).

The Medium and Low severity bugs resolved in chrome this month were affecting components such as PDFium, Omnibox, V8, Blink, ANGLE, SVG, and Webaudio, or the browser’s file download protection. The release of Chrome 55.0.2883.75 for Windows, Mac, and Linux resolves these issues along with those discovered internally, Google’s advisory reveals.

In addition to patching vulnerabilities, Chrome 55 improves user security by blocking websites that contain Flash content out-of-the-box. The deprecation of Flash in Chrome was announced earlier this year, and Google stayed true to its word: HTML5 is the default experience now and users have to manually enable Flash on sites that require it.

As before, however, the highly vulnerable Flash Player will continue to be bundled with Chrome, only that its presence won’t be “advertised by default.” Google also explains that users will have to enable Flash only the first time they visit a site that requires it, and the option will be remembered for subsequent visits.

Starting in Jan. 2017, Google will also remove Flash ads from its advertising platform, after it stopped accepting them on Jun. 30, 2016. Google recommends HTML5 as the go-to plugin for ads and encourages advertisers to switch to it as soon as possible, to avoid disruptions. Amazon too stopped accepting Flash ads last year.

Additionally, Chrome 55 resolves an issue where an untrusted error was displayed when visiting websites using some Symantec, GeoTrust, and Thawte SSL/TLS certificates. According to Symantec, there’s still an outstanding issue with Android apps that leverage the WebView version 53, but WebView version 54 and Chrome 55 resolve it.

Other Chrome-based applications and platforms have been already patched, including the Chrome browser for Windows, Mac, and Linux. “All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55,” Symantec says.

Related Reading: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Related Reading: Chrome’s Certificate Transparency to Become Mandatory

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet