Chrome 55 Patches 36 Flaws, Blocks Flash by Default

Google this week released Chrome 55 to resolve 36 security vulnerabilities and to switch the popular Adobe Flash plugin off by default.

Of the 36 flaws resolved this month, 26 were disclosed by external security researchers and Google paid $70,000 in bug bounty rewards for them. 12 of these security issues were rated High risk, 9 were rated Medium severity and 5 were considered Low risk.

The first High risk bug on the list was a private property access in V8 (CVE-2016-9651) and wasn’t rewarded a cash prize. The following five, however, were rewarded $7500 each: four universal XSS in Blink (CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, and CVE-2016-5208) – three found by Mariusz Mlynski –, and a Same-origin bypass in PDFium (CVE-2016-5206), found by Rob Wu.

Other High risk vulnerabilities patched in Chrome 55 include a use after free in PDFium (CVE-2016-5203), an out of bounds write in Blink (CVE-2016-5209), an out of bounds write in PDFium (CVE-2016-5210), a use after free in PDFium (CVE-2016-5211), a local file disclosure in DevTools (CVE-2016-5212), and a use after free in V8 (CVE-2016-5213).

The Medium and Low severity bugs resolved in chrome this month were affecting components such as PDFium, Omnibox, V8, Blink, ANGLE, SVG, and Webaudio, or the browser’s file download protection. The release of Chrome 55.0.2883.75 for Windows, Mac, and Linux resolves these issues along with those discovered internally, Google’s advisory reveals.

In addition to patching vulnerabilities, Chrome 55 improves user security by blocking websites that contain Flash content out-of-the-box. The deprecation of Flash in Chrome was announced earlier this year, and Google stayed true to its word: HTML5 is the default experience now and users have to manually enable Flash on sites that require it.

As before, however, the highly vulnerable Flash Player will continue to be bundled with Chrome, only that its presence won’t be “advertised by default.” Google also explains that users will have to enable Flash only the first time they visit a site that requires it, and the option will be remembered for subsequent visits.

Starting in Jan. 2017, Google will also remove Flash ads from its advertising platform, after it stopped accepting them on Jun. 30, 2016. Google recommends HTML5 as the go-to plugin for ads and encourages advertisers to switch to it as soon as possible, to avoid disruptions. Amazon too stopped accepting Flash ads last year.

Additionally, Chrome 55 resolves an issue where an untrusted error was displayed when visiting websites using some Symantec, GeoTrust, and Thawte SSL/TLS certificates. According to Symantec, there’s still an outstanding issue with Android apps that leverage the WebView version 53, but WebView version 54 and Chrome 55 resolve it.

Other Chrome-based applications and platforms have been already patched, including the Chrome browser for Windows, Mac, and Linux. “All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55,” Symantec says.

Related Reading: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Related Reading: Chrome’s Certificate Transparency to Become Mandatory