Chrome 55 released fixing 36 security vulnerabilities and to switch the Adobe Flash plugin off by default.
Of the 36 flaws resolved, 26 ended up disclosed by external security researchers and Google paid $70,000 in bug bounty rewards for them. Twelve of these security issues ended up rated high risk, 9 rated medium and 5 were low risk.
The first high risk bug on the list was a private property access in V8 (CVE-2016-9651). The following five, however, ended up awarded $7,500 each: Four universal XSS in Blink (CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, and CVE-2016-5208) — three found by Mariusz Mlynski — and a same-origin bypass in PDFium (CVE-2016-5206), found by Rob Wu.
Other High risk vulnerabilities patched in Chrome 55 include a use after free in PDFium (CVE-2016-5203), an out of bounds write in Blink (CVE-2016-5209), an out of bounds write in PDFium (CVE-2016-5210), a use after free in PDFium (CVE-2016-5211), a local file disclosure in DevTools (CVE-2016-5212), and a use after free in V8 (CVE-2016-5213).
The medium and low severity bugs resolved in chrome this month were affecting components such as PDFium, Omnibox, V8, Blink, ANGLE, SVG, and Webaudio, or the browser’s file download protection. The release of Chrome 55.0.2883.75 for Windows, Mac, and Linux resolves these issues along with those discovered internally, Google said in an advisory.
In addition to patching vulnerabilities, Chrome 55 improved user security by blocking websites that contain Flash content out-of-the-box.
Google said earlier this year users would have to manually enable Flash on sites that require it.
Flash will continue to bundle with Chrome, only its presence won’t be “advertised by default.” Google also said users will have to enable Flash only the first time they visit a site that requires it, and the option will be remembered for subsequent visits.