Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.
One of the most important security changes in Chrome 78 is the introduction of DNS-over-HTTPS (DoH) as an experiment to assess the implementation of this technology in the browser. All supported platforms will receive the feature, except for Linux and iOS.
Starting with the new iteration, the browser can alert users when their passwords appear in data breaches through an option in password manager (web version) called “Check password safety”, which is also experimental at the moment. It requires for users to be logged in and their account synced with Google.
Of the 21 patched vulnerabilities that were reported by external researchers, three were rated High severity, twelve Medium, and six Low severity.
The most important of these include a use-after-free in the media component and a buffer overrun in Blink, both reported by Man Yue Mo of the Semmle Security Research Team.
The flaws are tracked as CVE-2019-13699 and CVE-2019-13700, and the reporting researcher received bug bounty rewards of $20,000 and $15,000, respectively.
The third High severity issue addressed in this release is CVE-2019-13701, a URL spoofing issue in navigation reported by David Erceg. Google paid a $1,000 bounty for the bug.
Some of the most important Medium severity issues addressed with the release of Chrome 78 include a privilege elevation in Installer (CVE-2019-13702), URL bar spoofing (CVE-2019-13703), CSP bypass (CVE-2019-13704), extension permission bypass (CVE-2019-13705), and out-of-bounds read in PDFium (CVE-2019-13706).
Google also patched Medium risk issues such as file storage disclosure (CVE-2019-13707), HTTP authentication spoof (CVE-2019-13708), file download protection bypass (CVE-2019-13709 and CVE-2019-13710), cross-context information leak (CVE-2019-13711), buffer overflow in expat (CVE-2019-15903), and cross-origin data leak (CVE-2019-13713).
Addressed Low severity bugs included CSS injection (CVE-2019-13714), address bar spoofing (CVE-2019-13715), service worker state error (CVE-2019-13716), notification obscured (CVE-2019-13717 and CVE-2019-13719), and IDN spoof (CVE-2019-13718).
The new browser iteration is now available for download for Windows, Mac, and Linux as Chrome 78.0.3904.70.
Related: DNS-over-HTTPS Coming to Chrome 78
More from Ionut Arghire
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
- Casino Giant Crown Resorts Investigating Ransomware Group’s Data Theft Claims
- Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
- Nigerian BEC Scammer Sentenced to Prison in US
Latest News
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
