As mentioned on November 10, 2016, we were made aware of a bug in Chrome version 53 that affects some Symantec, GeoTrust, and Thawte SSL/TLS certificates resulting in an untrusted error displaying when visiting affected websites. There were no issues with the certificates used on the affected websites, but rather, the issue is entirely a Google bug with specific versions of Chrome, Chromium, Chrome Custom Tabs and WebView.
Since my initial post, we’ve gained more insight into the scope of impacted platforms and releases for this bug, and although the majority of them have been patched, there is an outstanding issue with Android apps that leverage the WebView version 53. To remedy this problem, end users of affected applications will need to update to the most recent version of WebView (version 54) and the forthcoming Chrome version 55. Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility.
Other Chrome-based applications and platforms have been patched by Google including Chrome Mac, Chrome Windows, Chrome Linux, Chrome Android, Chrome iOS, Chromium, Chromium-based browsers, and Chrome Custom Tabs. All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55. We expect no adverse issues on these platforms at this time, and no action should be required by users leveraging typical update mechanisms.
Symantec is continuing to work with Google as they push the fix to their bug through the Chrome eco-system. We will update this blog as we learn more information.