Google this week released Chrome 83 to the stable channel with patches for a total of 38 vulnerabilities, with improved Safe Browsing protection, and updated privacy and security controls.
The newly introduced Enhanced Safe Browsing protection in Chrome is meant to provide users with a more advanced level of security while browsing the web, by increasing protection from dangerous websites and downloads.
For users signed into Chrome and other Google apps (such as Gmail, Drive, etc), the company claims to provide protection “based on a holistic view of threats” encountered on the web and attacks on a user’s account.
With Safe Browsing, Google explains, the list of websites considered malicious is refreshed every 30 minutes, but that represents a long-enough window for some phishing sites to remain undetected by switching domains.
Enhanced Safe Browsing, on the other hand, allows Chrome to check uncommon URLs in real time, meaning that threats can be detected faster. Moreover, a small sample of the suspicious page or download is sent to Google, to help protect other users as well.
For signed-in users, the data is linked to their Google account, so that protections can be tailored to the user when an attack is detected against their browser or account. The data is anonymized after a short period.
Users can turn the feature on by heading to Privacy and Security settings > Security > “Enhanced protection” mode under Safe Browsing. The feature will roll out gradually in Chrome 83 and will arrive on Android as well, in a future release.
Chrome 83, Google says, also makes it more intuitive for users to control their privacy and security settings on desktop systems, with easier to manage cookies, reorganized controls in Site Settings, improved control over the data shared with Google to store in Google accounts and share across devices, and the “Clear browsing data” option now at the top of the Privacy & Security section.
The browser also includes a safety check that allows users to confirm the safety of their experience in Chrome. Thus, they can check whether passwords stored in Chrome have been compromised, if Safe Browsing is turned off, if the latest Chrome version is installed, and if malicious extensions are used.
Additionally, Chrome will be blocking third-party cookies by default when in Incognito mode, and will also provide a prominent control over these cookies on the New Tab page. Thus, users can choose to allow third-party cookies for specific sites.
With the new release, Chrome also gets Secure DNS, where DNS-over-HTTPS is employed to encrypt the DNS lookup, to prevent attackers from knowing which sites the user is accessing. The browser will automatically upgrade to DNS-over-HTTPS if the service provider supports it, but users can adjust or completely disable the feature in the Advanced security section.
Of the 38 vulnerabilities patched in the new Chrome release, 27 were reported by external researchers, Google reveals. These include five high severity flaws, seventeen medium severity issues, and five low risk bugs.
The most important of the vulnerabilities are CVE-2020-6465 (use after free in reader mode), CVE-2020-6466 (use after free in media), CVE-2020-6467 (use after free in WebRTC), CVE-2020-6468 (Type Confusion in V8), and CVE-2020-6469 (insufficient policy enforcement in developer tools).
For the first two vulnerabilities, Google paid $20,000 and $15,000 in bug bounties, respectively. Each of the next two bugs earned the reporting researchers $7,500, while the fifth was rewarded with $5,000. Overall, Google says it paid out over $75,000 in bug bounty rewards to the reporting researchers.
