Chrome OS Update Brings a Handful of Security Fixes

A small but important security update is rolling out to Chrome OS devices this morning that brings a handful of high priority security updates to the platform.  The new build is 57.0.2987.137 (Platform version: 9202.60.0) and it is for the vast majority of devices out there.  The only devices you won’t find it for is the AOpen Chromebase Mini, AOpen Chromebox Mini, Google Chromebook Pixel (2015), ASUS Chromebook Flip C100PA, Samsung Chromebook Plus.  If you have one of these devices, this update won’t be coming to you, at least not yet.

Unlike the last Stable channel update to the platform, this update is purely focused on security updates.  The Chromium team called out five specific issues that the build resolves in their release notes.  If you have a Chrome OS device, you will want to get this update ASAP.

Here is a run down of the security fixes that are in this build and the bounty Google paid for finding them.

  • [$3000][699166] High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs
  • [$1000][662767] High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
  • [$N/A][705445] High CVE-2017-5056: Use after free in Blink. Credit to anonymous
  • [$N/A][702058] High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)

There are other updates and fixes but Google, as they traditionally do, are keeping the details secret until the majority of devices have been updated.

To force your Chromebook to do the update, just type in chrome://help in the browser bar and that will take you into settings where you can click the button to check for updates.