June 14, 2021

Google Release Chrome 17.0.963.56 to Fix Vulnerabilities and Update Flash

(LiveHacking.Com) – Google has updated Chrome to 17.0.963.56 for Windows, Mac and Linux.  This release includes a number of stability and security fixes and also includes a new version of Flash. Google paid out nearly $7000 to security researchers who contributed to fixing these security issues.

The full list of security related bugs fixed is:

  • [105803] High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team (scarybeasts).
  • [$500] [106336] Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz.
  • [$1000] [108695] High CVE-2011-3017: Possible use-after-free in database handling. Credit to miaubiz.
  • [$1000] [110172] High CVE-2011-3018: Heap overflow in path rendering. Credit to Aki Helin of OUSPG.
  • [110849] High CVE-2011-3019: Heap buffer overflow in MKV handling. Credit to Google Chrome Security Team (scarybeasts) and Mateusz Jurczyk of the Google Security Team.
  • [111575] Medium CVE-2011-3020: Native client validator error. Credit to Nick Bray of the Chromium development community.
  • [$1000] [111779] High CVE-2011-3021: Use-after-free in subframe loading. Credit to Arthur Gerkis.
  • [112236] Medium CVE-2011-3022: Inappropriate use of http for translation script. Credit to Google Chrome Security Team (Jorge Obes).
  • [$500] [112259] Medium CVE-2011-3023: Use-after-free with drag and drop. Credit to pa_kt.
  • [112451] Low CVE-2011-3024: Browser crash with empty x509 certificate. Credit to chrometot.
  • [$500] [112670] Medium CVE-2011-3025: Out-of-bounds read in h.264 parsing. Credit to Sławomir Błażek.
  • [$1337] [112822] High CVE-2011-3026: Integer overflow / truncation in libpng. Credit to Jüri Aedla.
  • [$1000] [112847] High CVE-2011-3027: Bad cast in column handling. Credit to miaubiz.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.  Full details about what changes are in this release are available in the SVN revision log.

Adobe recetnly released a new version of Flash for Windows, OS X, Linux and Android. This new version of Chrome incorporates the updated version. The update addresses critical vulnerabilities in Adobe Flash Player. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. However this is only being exploited in Internet Explorer on Windows and not Chrome. More info on the Flash update is available from Adobe.