Version 55.0.2883.75 of Google Chrome was released today, which fixes 26 reported vulnerabilities and others discovered internally by Google. Unfortunately, at this time the severity of these vulnerabilities are not known, but based on the bounty rewards, at least 5 of them could be remote execution or XSS vulnerabilities.
Of the 36 fixes, 26 fixes were contributed by external researchers. These are:
| Bounty | Bug ID | Severity | CVE Identifier | Credits |
| N/A | 664411 | High | CVE-2016-9651 | Private property access in V8. Credit to Guang Gong of Alpha Team Of Qihoo 360 |
|
$7,500 |
658535 | High | CVE-2016-5208 | Universal XSS in Blink. Credit to Mariusz Mlynski |
| $7,500 | 655904 | High | CVE-2016-5207 | Universal XSS in Blink. Credit to Mariusz Mlynski |
| $7,500 | 653749 | High | CVE-2016-5206 | Same-origin bypass in PDFium. Credit to Rob Wu (robwu.nl) |
| $7,500 | 646610 | High | CVE-2016-5205 | Universal XSS in Blink. Credit to Anonymous |
| $7,500 | 630870 | High | CVE-2016-5204 | Universal XSS in Blink. Credit to Mariusz Mlynski |
| $5,000 | 664139 | High | CVE-2016-5209 | Out of bounds write in Blink. Credit to Giwan Go of STEALIEN |
| $3,000 | 644219 | High | CVE-2016-5203 | Use after free in PDFium. Credit to Anonymous |
| $3,500 | 654183 | High | CVE-2016-5210 | Out of bounds write in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB |
| $3,000 | 653134 | High | CVE-2016-5212 | Local file disclosure in DevTools. Credit to Khalil Zhani |
| $3,000 | 649229 | High | CVE-2016-5211 | Use after free in PDFium. Credit to Anonymous |
| $500 | 652548 | High | CVE-2016-5213 | Use after free in V8. Credit to Khalil Zhani |
| $N/A | 601538 | Medium | CVE-2016-5214 | File download protection bypass. Credit to Jonathan Birch and MSVR |
| $3,000 | 653090 | Medium | CVE-2016-5216 | Use after free in PDFium. Credit to Anonymous |
| $3,000 | 619463 | Medium | CVE-2016-5215 | Use after free in Webaudio. Credit to Looben Yang |
| $2,500 | 654280 | Medium | CVE-2016-5217 | Use of unvalidated data in PDFium. Credit to Rob Wu (robwu.nl) |
|
$2,000 |
660498 | Medium | CVE-2016-5218 | Address spoofing in Omnibox. Credit to Abdulrahman Alqabandi (@qab) |
| $1,500 | 657568 | Medium | CVE-2016-5219 | Use after free in V8. Credit to Rob Wu (robwu.nl) |
| $1,000 | 660854 | Medium | CVE-2016-5221 | Integer overflow in ANGLE. Credit to Tim Becker of ForAllSecure |
| $1,000 | 654279 | Medium | CVE-2016-5220 | Local file access in PDFium. Credit to Rob Wu (robwu.nl) |
| $500 | 657720 | Medium | CVE-2016-5222 | Address spoofing in Omnibox. Credit to xisigr of Tencent's Xuanwu Lab |
| N/A | 653034 | Low | CVE-2016-9650 | CSP Referrer disclosure. Credit to Jakub Żoczek |
| N/A | 652038 | Low | CVE-2016-5223 | Integer overflow in PDFium. Credit to Hwiwon Lee |
| N/A | 639750 | Low | CVE-2016-5226 | Limited XSS in Blink. Credit to Jun Kokatsu (@shhnjk) |
| N/A | 630332 | Low | CVE-2016-5225 | CSP bypass in Blink. Credit to Scott Helme (@Scott_Helme, scotthelme.co.uk) |
| N/A | 615851 | Low | CVE-2016-5224 | Same-origin bypass in SVG. Credit to Roeland Krak |
The following fixes were resolved internally by Google:
[669928] CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives
It is strongly advised that everyone update Chrome as soon as possible.
To update Chrome, simply click on the Settings menu button (
), click on Help, and then select About Chrome. Chrome will then check for updates and install them. A restart of Chrome will be required to fully finish the upgrade.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now