Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome 78 Released With DoH, 37 Security Patches

Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.

Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.

One of the most important security changes in Chrome 78 is the introduction of DNS-over-HTTPS (DoH) as an experiment to assess the implementation of this technology in the browser. All supported platforms will receive the feature, except for Linux and iOS.

Starting with the new iteration, the browser can alert users when their passwords appear in data breaches through an option in password manager (web version) called “Check password safety”, which is also experimental at the moment. It requires for users to be logged in and their account synced with Google.

Of the 21 patched vulnerabilities that were reported by external researchers, three were rated High severity, twelve Medium, and six Low severity.

The most important of these include a use-after-free in the media component and a buffer overrun in Blink, both reported by Man Yue Mo of the Semmle Security Research Team.

The flaws are tracked as CVE-2019-13699 and CVE-2019-13700, and the reporting researcher received bug bounty rewards of $20,000 and $15,000, respectively.

The third High severity issue addressed in this release is CVE-2019-13701, a URL spoofing issue in navigation reported by David Erceg. Google paid a $1,000 bounty for the bug.

Some of the most important Medium severity issues addressed with the release of Chrome 78 include a privilege elevation in Installer (CVE-2019-13702), URL bar spoofing (CVE-2019-13703), CSP bypass (CVE-2019-13704), extension permission bypass (CVE-2019-13705), and out-of-bounds read in PDFium (CVE-2019-13706).

Advertisement. Scroll to continue reading.

Google also patched Medium risk issues such as file storage disclosure (CVE-2019-13707), HTTP authentication spoof (CVE-2019-13708), file download protection bypass (CVE-2019-13709 and CVE-2019-13710), cross-context information leak (CVE-2019-13711), buffer overflow in expat (CVE-2019-15903), and cross-origin data leak (CVE-2019-13713).

Addressed Low severity bugs included CSS injection (CVE-2019-13714), address bar spoofing (CVE-2019-13715), service worker state error (CVE-2019-13716), notification obscured (CVE-2019-13717 and CVE-2019-13719), and IDN spoof (CVE-2019-13718).

The new browser iteration is now available for download for Windows, Mac, and Linux as Chrome 78.0.3904.70.

Related: DNS-over-HTTPS Coming to Chrome 78

Related: Google Boosts Site Isolation in Chrome

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.