Vulnerabilities Weekly Summary Ending April 7
By Sharey Vendiola on April 5, 2017
Google Releases Security Updates for Chrome Vulnerabilities
Google has released security updates for Chrome on March 29, which addresses critical and high vulnerabilities The first fix is a critical vulnerability, CVE-2017-5055, on Google Chrome versions before 57.0.2987.133. This vulnerability can allow remote code execution from an attacker from a use-after-free attack when printing in Chrome. A use-after-free issue can occur when memory on a computer system is referenced after it has been previously freed. When this memory is targeted, attackers can reference this memory, overwrite its function pointers, and create errors or allocate it to valid shell code leading to executing arbitrary code. Other high vulnerabilities addressed include heap buffer overflow, use-after-free in Blink, which is a web browser engine developed by the Chromium Project with contributions from Google, and out of bounds memory access attacks. The security research contributors include Wadih Matar, Nicolas Trippar of Zimperium zLabs, JeongHoon Shin, and Team Sniper from Keen Lab and PC Mgr.
- CVE-2017-5055: “Google Chrome before 57.0.2987.133 is prone to a remote code execution vulnerability, due to a use-after-free issue in printing.”
- CVE-2017-5054: “Google Chrome before 57.0.2987.133 is prone to an unspecified heap-overflow vulnerability in V8.” V8 is Google’s open source JavaScript engine written in C++. A heap overflow is a form of buffer overflow and happens when a part of memory is allocated to the heap where data is written to this memory without any bound checking being done, which can lead to critical data structures being overwritten.
- CVE-2017-5056: “Google Chrome OS before 57.0.2987.137 is prone to a remote code execution vulnerability, due to a use-after-free issue in Blink.”
- CVE-2017-5053: “Google Chrome OS before 57.0.2987.137 is prone to an out of bounds memory access vulnerability in V8 which could lead to remote code execution.”
The following code is an example of a use-after-free error:
When an error occurs, the pointer is immediately freed, but is later incorrectly used in the logError function.
For information on heap overflows: Heap Overflow: Vulnerability and Heap Internals Explained
For information on out of bounds access: CWE-125: Out-of-bounds Read
Sources:
- Chrome V8 | Google Developers. (n.d.). Retrieved from https://developers.google.com/v8/
- CWE-125: Out-of-bounds Read. (n.d.). Retrieved from https://cwe.mitre.org/data/definitions/125.html
-
CWE-416: Use After Free. (n.d.). Retrieved from https://cwe.mitre.org/data/definitions/416.html
- Google Releases Security Updates for Chrome. (2017, March 30). Retrieved from https://www.us-cert.gov/ncas/current-activity/2017/03/30/Google-Releases-Security-Updates-Chrome
- Heap Overflow: Vulnerability and Heap Intervals Explained. (2017). Retrieved from http://resources.infosecinstitute.com/heap-overflow-vulnerability-and-heap-internals-explained/#gref
- Stable Channel Update for Desktop. (2017, March 29). Retrieved from https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop_29.html
-
CrushFTP CVE-2025-31161 Vulnerability
CrushFTP CVE-2025-31161 Vulnerability
4/11/2025 -
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
4/4/2025 -
Next.js Middleware CVE-2025-29927 Vulnerability
Next.js Middleware CVE-2025-29927 Vulnerability
4/4/2025