Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Chrome 70 Updates Sign-In Options, Patches 23 Flaws

Google on Tuesday released Chrome 70 in the stable channel, with patches for nearly two dozen vulnerabilities, as well as with updated sign-in options.

Google on Tuesday released Chrome 70 in the stable channel, with patches for nearly two dozen vulnerabilities, as well as with updated sign-in options.

Available for Windows, Mac and Linux as version 70.0.3538.67, the new Chrome iteration arrives with patches for 23 vulnerabilities, 18 of which were discovered by external researchers. These include 6 flaws rated high severity, 8 medium risk, and 4 low severity issues.

The addressed flaws include sandbox escape, remote code execution, heap buffer overflow, URL spoofing, use after free, memory corruption, cross-origin URL disclosure, security UI occlusion in full screen mode, iframe sandbox escape on iOS, and lack of limits on update() in ServiceWorker.

Google paid over $20,000 in bug bounty rewards to the reporting security researchers.

One other important update that Chrome 70 comes with is the final version of the Transport Layer Security (TLS) 1.3 traffic encryption protocol, which was approved earlier this year. In one year and a half, Chrome and all other major web browsers will no longer support TLS 1.0 and 1.1.

The browser now also provides users with increased control over Chrome sign-in options. The previous Chrome release would automatically sign users into the browser when they signed into a Google service, which raised privacy concerns.

Advertisement. Scroll to continue reading.

In late September, Google revealed that Chrome’s sign-in behavior was meant to make it more obvious for users that they are logged into a specific account.

“You’ll see your Google Account picture right in the Chrome UI, so you can easily see your sign-in status. When you sign out, either directly from Chrome or from any Google website, you’re completely signed out of your Google Account,” Zach Koch, Chrome Product Manager, explained at the time.

One issue with the functionality, however, was that users had no control over it, and Google decided to change that.

Thus, Chrome 70 now provides users with the option to turn off the linking of web-based sign-in with browser-based sign-in. By default, the linking is turned on, but users can opt out, meaning they will no longer be signed into Chrome when signing into a Google service.

Now, Chrome is also making it clearer for users whether the syncing option is turned on, so that people know when their data is being sent to Google’s servers.

Related: Major Browsers to Kill TLS 1.0, 1.1

Related: Latest Version of Chrome Improves Password Management, Patches 40 Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.