Google on Tuesday released Chrome 70 in the stable channel, with patches for nearly two dozen vulnerabilities, as well as with updated sign-in options.
Available for Windows, Mac and Linux as version 70.0.3538.67, the new Chrome iteration arrives with patches for 23 vulnerabilities, 18 of which were discovered by external researchers. These include 6 flaws rated high severity, 8 medium risk, and 4 low severity issues.
The addressed flaws include sandbox escape, remote code execution, heap buffer overflow, URL spoofing, use after free, memory corruption, cross-origin URL disclosure, security UI occlusion in full screen mode, iframe sandbox escape on iOS, and lack of limits on update() in ServiceWorker.
Google paid over $20,000 in bug bounty rewards to the reporting security researchers.
One other important update that Chrome 70 comes with is the final version of the Transport Layer Security (TLS) 1.3 traffic encryption protocol, which was approved earlier this year. In one year and a half, Chrome and all other major web browsers will no longer support TLS 1.0 and 1.1.
The browser now also provides users with increased control over Chrome sign-in options. The previous Chrome release would automatically sign users into the browser when they signed into a Google service, which raised privacy concerns.
In late September, Google revealed that Chrome’s sign-in behavior was meant to make it more obvious for users that they are logged into a specific account.
“You’ll see your Google Account picture right in the Chrome UI, so you can easily see your sign-in status. When you sign out, either directly from Chrome or from any Google website, you’re completely signed out of your Google Account,” Zach Koch, Chrome Product Manager, explained at the time.
One issue with the functionality, however, was that users had no control over it, and Google decided to change that.
Thus, Chrome 70 now provides users with the option to turn off the linking of web-based sign-in with browser-based sign-in. By default, the linking is turned on, but users can opt out, meaning they will no longer be signed into Chrome when signing into a Google service.
Now, Chrome is also making it clearer for users whether the syncing option is turned on, so that people know when their data is being sent to Google’s servers.
Related: Major Browsers to Kill TLS 1.0, 1.1
Related: Latest Version of Chrome Improves Password Management, Patches 40 Flaws
More from Ionut Arghire
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
