Chrome 56 is being rolled out to Windows, Linux, and Mac users and should be available to everyone over the next few days. Along with 56 security updates, this new version comes with quite a few goodies such as HTML5 by default, support for the Sticky position attribute, and the Web Bluetooth API.

Google Chrome 56.0.2924.76

HTML5 by default means that Chrome should be disabling Flash on web sites that I have not visited before. Unfortunately, this feature didn't seem to work when I tested it on sites I have not visited before as Flash worked perfectly without prompting me. Maybe I did something wrong.

Chrome 56 also includes support for the CSS3 Position: Sticky attribute, which makes it easy to add Sticky content on web sites so that the content stays visible as you scroll down a page. The other big feature is the addition of the Web Bluetooth Api that allows Chrome apps to connect to devices such as light bulbs, toys, heart-rate monitors, and LED using Javascript. I can't wait to see how this is abused, I mean used.

Last, but definitely not least, this update also includes 56 security updates, with 4 of them being XSS vulnerabilities. The full list of security updates are described below:

Bounty Bug ID Severity CVE Identifier Credits
$8,837 671102 High CVE-2017-5007 Universal XSS in Blink. Credit to Mariusz Mlynski
$8,000 673170 High CVE-2017-5006 Universal XSS in Blink. Credit to Mariusz Mlynski
$8,000 668552 High CVE-2017-5008 Universal XSS in Blink. Credit to Mariusz Mlynski
$7,500 663476 High CVE-2017-5010 Universal XSS in Blink. Credit to Mariusz Mlynski
$3,000 662859 High CVE-2017-5011 Unauthorised file access in Devtools. Credit to Khalil Zhani
$3,000 667504 High CVE-2017-5009 Out of bounds memory access in WebRTC. Credit to Sean Stanek and Chip Bradford
$5,500 681843 High CVE-2017-5012 Heap overflow in V8. Credit to Gergely Nagy (Tresorit)
$2,000 677716 Medium CVE-2017-5013 Address spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
$2,000 675332 Medium CVE-2017-5014 Heap overflow in Skia. Credit to sweetchip
$2,000 673971 Medium CVE-2017-5015 Address spoofing in Omnibox. Credit to Armin Razmdjou
$2,000 666714 Medium CVE-2017-5019 Use after free in Renderer. Credit to Wadih Matar
$1,000 673163 Medium CVE-2017-5016 UI spoofing in Blink. Credit to Haosheng Wang (@gnehsoah)
$500 676975 Medium CVE-2017-5017 Uninitialised memory access in webm video. Credit to danberm
$500 668665 Medium CVE-2017-5018 Universal XSS in chrome apps. Credit to Rob Wu
$TBD 668653 Medium CVE-2017-5020 Universal XSS in chrome downloads. Credit to Rob Wu
$N/A 663726 Low CVE-2017-5021 Use after free in Extensions. Credit to Rob Wu
$N/A 663620 Low CVE-2017-5022 Bypass of Content Security Policy in Blink. Credit to 李普君 of 无声信息技术PKAV Team
$N/A 651443 Low CVE-2017-5023 Type confusion in metrics. Credit to the UK's National Cyber Security Centre (NCSC)
N/A 643951 Low CVE-2017-5024 Heap overflow in FFmpeg. Credit to Paul Mehta
N/A 643950 Low CVE-2017-5025 Heap overflow in FFmpeg. Credit to Paul Mehta
$500 634108 Low CVE-2017-5026 UI spoofing. Credit to Ronni Skansing

The following fixes were resolved internally by Google:

[685349] Various fixes from internal audits, fuzzing and other initiatives

It is strongly advised that everyone update Chrome as soon as possible.

To update Chrome, simply click on the Settings menu button (), click on Help, and then select About Chrome. Chrome will then check for updates and install them.  A restart of Chrome will be required to fully finish the upgrade.

Related Articles:

Speech Synthesis API Being Restricted in Chrome 71 Due to Abuse

Internal Chrome Page Shows All Google Interstitial Warnings

Chrome 71 Will Warn Users about Deceptive Mobile Billing Pages

Chrome 71 Will Block All Ads on Abusive Sites in December

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers