• Home
  • News
  • Software
  • Google Chrome 57 Released with WebAssembly Support, 36 Security Fixes

Google Chrome 57 Released with WebAssembly Support, 36 Security Fixes

  • March 10, 2017
  • 04:16 AM
  • 0

Chrome 57

Version 57 of the Google Chrome for Android, Chrome OS, Linux, Mac, and Windows is available for download, or update, using the browser's built-in update feature.

Chrome's new release comes with two new main features, a host of improvements to existing browser APIs, and 36 security fixes.

The biggest addition to Chrome 57 is support for WebAssembly, a new standard for packing and delivering web pages. We've already gone through WebAssembly's major benefits in a previous story, two days ago, when Firefox 52 became the first browser to offer WebAssembly support in its stable branch.

CSS Grid Layout

The other major feature in Chrome 57 is actually a big deal for developers. Called CSS Grid Layout, this is a new system for arranging content on web pages.

CSS Grid Layout [1, 2] was created specifically to support responsive web design (RWD), meaning websites that have to render on all sorts of devices, from small smartwatches to huge smart TV screens.

Previously, developers have relied on CSS media queries to detect the size of the screen and display page elements at different sizes. Unfortunately, this solution was cumbersome as it required developers to manage different CSS styles for different screen sizes, which meant that making a small tweek would needed countless of edits per each screen size.

Later, the CSS Flexbox display simplified the creation of responsive pages, but flexbox elements worked on their own, sometimes showing at different positions than intended and breaking overall page style.

The CSS Grid Layout allows developers to create uniform square grids on which to place page elements. If the size of the screen shrinks, the page element is resized or moved to a new row, without breaking the grid or leaving big gaps. The new CSS Grid Layout is just a simpler way to create CSS grids without having to use open-source CSS frameworks that contain hundreds of lines of CSS code.

Developers can control both the vertical and horizontal position and size of grid elements, something they could not do with previous solutions. CSS Grid Layout also shipped with Firefox 52, launched two days ago.

Media Session API

Last but not least is the addition of the new  Media Session API, which is a new API Google developed specifically for Chrome on Android.

This new API lets site owners push media-rich content to notifications. For example, if a site is playing audio or video, it can push details such as title, artist, album name, and artwork to the phone's lock screen or notification dropdown panel.

Media Session API

Other new features in Chrome 57 include an improved "Add to Home screen" feature, and a feature that locks screen orientation according to the aspect ratio of the video when a Chrome video enters fullscreen. Other smaller changes are listed below.

  • The WebAssembly API has been enabled by default, allowing developers to run near-native code in the browser without a plugin.
  • When a video enters fullscreen on an Android device, Chrome now automatically locks the screen orientation according to the aspect ratio of the video.
  • Sites using continuous setTimeout() will now be throttled when using loops to drive out-of-view frame animations, improving performance for users.
  • The Fetch API Response class now supports the .redirected attribute to help web developers avoid untrustworthy responses and reduce the risk of open redirectors.
  • The new padStart and padEnd formatting tools enable text padding, facilitating tasks like aligning console output or printing numbers with a fixed number of digits.
  • Service Worker Navigation Preload is now available as an Origin Trial, allowing developers to parallelize the network request for the main resource alongside service worker startup.
  • The Payment Request API can be made available inside an iframe by adding the allowpaymentrequest attribute.
  • PaymentMethodData now supports basic-card, so developers can refer to all card types with a single method identifier, rather than individual data types.
  • To simplify the migration from HTTP to HTTPS, stored credentials for HTTP forms are now transferred to the HTTPS version of the site, and the Credential Management API now supports filling credentials from matching subdomains.
  • The caret-color property enables developers to specify the color of the text input cursor.
  • To preserve consistency with other on attributes, ongotpointercapture and onlostpointercapture are now part of the GlobalEventHandlers mixin.
  • Support is now available for text-decoration-skip: ink to make underlines skip descenders, the portion of letters that extend below the text's baseline.
  • New text-decoration properties are now available, allowing developers to specify visual effects such as line color and style.
  • The PresentationRequest constructor has been modified to accept multiple URLs via a sequence<DOMString>, in addition to the existing constructor that takes a single URL.
  • The new AudioContext.getOutputTimestamp() method enables developers to synchronize DOMHighResTimeStamp and AudioContext.currentTime values.
  • AudioBufferSourceNode, OscillatorNode, and ConstantSourceNode now inherit from AudioScheduledSourceNode, consolidating functionality.
  • The new cancelAndHoldAtTime function cancels future AudioParam events with times greater than or equal to cancelTime, allowing developers to preserve the value of the scheduled time in a direct way.
  • Developers can now construct WebAudio-specific events such as OfflineAudioCompletionEvent and AudioProcessEvent.
  • To increase user security, Chrome's XSS Auditor now blocks entire suspicious pages by default, rather than selectively filtering out the suspected reflected XSS on the page.

Security updates

The biggest security change in Chrome 57 is related to the deprecation of SHA-1 certificates.

SHA-1-based certificates were already distrusted in Chrome, but Google allowed intranet and closed networks sysadmins to use SHA-1 certs locally on their network.

From now on, locally-trusted SHA-1 certificates are distrusted by default as well and will result in a certificate error page unless the EnableSha1ForLocalAnchors enterprise policy has been set.

The following security bugs have also been fixed with the release of Chrome 57.

  • [$7500][682194] High CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka
  • [$5000][682020] High CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang
  • [$3000][668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari - Project Srishti
  • [$3000][676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek
  • [$3000][678461] High CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu of Tencent's Xuanwu LAB
  • [$3000][688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado
  • [$3000][691371] High CVE-2017-5036: Use after free in PDFium. Credit to Anonymous
  • [$1000][679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com)
  • [$500][679649] High CVE-2017-5039: Use after free in PDFium. Credit to jinmo123
  • [$2000][691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han
  • [$1000][642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel
  • [$1000][669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to Nicolai Grødum
  • [$1000][671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike Ruddy
  • [$1000][695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to Anonymous
  • [$1000][683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to Anonymous
  • [$1000][688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah of Fortinet's FortiGuard Labs
  • [$500][667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval Kapil (vampire)
  • [$500][680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa

The following fixes were resolved internally by Google:

  • [699618] Various fixes from internal audits, fuzzing and other initiatives

It is strongly advised that everyone update Chrome as soon as possible.

To update Chrome, simply click on the Settings menu button (), click on Help, and then select About Chrome. Chrome will then check for updates and install them.  A restart of Chrome will be required to fully finish the upgrade.

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers various topics such as data breaches, software vulnerabilities, exploits, hacking news, the Dark Web, malware, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Latest Downloads

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT