Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 78 Released With DoH, 37 Security Patches

Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.

Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.

One of the most important security changes in Chrome 78 is the introduction of DNS-over-HTTPS (DoH) as an experiment to assess the implementation of this technology in the browser. All supported platforms will receive the feature, except for Linux and iOS.

Starting with the new iteration, the browser can alert users when their passwords appear in data breaches through an option in password manager (web version) called “Check password safety”, which is also experimental at the moment. It requires for users to be logged in and their account synced with Google.

Of the 21 patched vulnerabilities that were reported by external researchers, three were rated High severity, twelve Medium, and six Low severity.

The most important of these include a use-after-free in the media component and a buffer overrun in Blink, both reported by Man Yue Mo of the Semmle Security Research Team.

The flaws are tracked as CVE-2019-13699 and CVE-2019-13700, and the reporting researcher received bug bounty rewards of $20,000 and $15,000, respectively.

The third High severity issue addressed in this release is CVE-2019-13701, a URL spoofing issue in navigation reported by David Erceg. Google paid a $1,000 bounty for the bug.

Some of the most important Medium severity issues addressed with the release of Chrome 78 include a privilege elevation in Installer (CVE-2019-13702), URL bar spoofing (CVE-2019-13703), CSP bypass (CVE-2019-13704), extension permission bypass (CVE-2019-13705), and out-of-bounds read in PDFium (CVE-2019-13706).

Google also patched Medium risk issues such as file storage disclosure (CVE-2019-13707), HTTP authentication spoof (CVE-2019-13708), file download protection bypass (CVE-2019-13709 and CVE-2019-13710), cross-context information leak (CVE-2019-13711), buffer overflow in expat (CVE-2019-15903), and cross-origin data leak (CVE-2019-13713).

Addressed Low severity bugs included CSS injection (CVE-2019-13714), address bar spoofing (CVE-2019-13715), service worker state error (CVE-2019-13716), notification obscured (CVE-2019-13717 and CVE-2019-13719), and IDN spoof (CVE-2019-13718).

The new browser iteration is now available for download for Windows, Mac, and Linux as Chrome 78.0.3904.70.

Related: DNS-over-HTTPS Coming to Chrome 78

Related: Google Boosts Site Isolation in Chrome

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.