Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change.
Initially announced in May 2019, the change is meant to provide users with improved protection against cross-site request forgery (CSRF) attacks by making only cookies set as SameSite=None; Secure available in third-party contexts, and only if served over a secure connection.
Google started rolling out the change in February, with the release of Chrome 80, but halted the process in early April due to the COVID-19 pandemic. The release of Chrome 84 resumes the gradual rollout of the protection.
The new browser iteration also improves user protection from abusive notifications, as announced in May. Thus, websites that push abusive notifications will be enrolled in the quieter notifications UI and the notification won’t be displayed to the user.
Instead, a discreet warning will pop up, to notify the user on the blocking of a notification. An alert will also be displayed when Chrome detects websites that attempt to trick users into allowing intrusive notifications.
In Chrome 84, Google also included support for the Web OTP (one-time password) API, which allows the browser to detect incoming one-time passcodes (OTP) received by SMS and automatically fill specific two-factor authentication (2FA) fields. Users will be prompted to allow for the action to take place.
The browser also removes support for the TLS 1.0 and TLS 1.1 protocols, a move that was long announced but postponed due to the coronavirus pandemic. Moreover, it will display warnings when HTTPS sites serve files from HTTP resources.
Chrome 84 also brings 38 patches, including 26 for vulnerabilities reported by external security researchers.
The most severe of these is a critical buffer overflow issue in background fetch. Tracked as CVE-2020-6510, the flaw was reported by Leecraso and Guang Gong of Chinese cybersecurity firm Qihoo 360.
Google also addressed 7 high-severity bugs in its browser, including CVE-2020-6511 (side-channel information leakage in content security policy), CVE-2020-6512 (type confusion in V8), CVE-2020-6513 (heap buffer overflow in PDFium), CVE-2020-6514 (inappropriate implementation in WebRTC), CVE-2020-6515 (use-after-free in tab strip), CVE-2020-6516 (policy bypass in CORS), and CVE-2020-6517 (heap buffer overflow in history).
The remaining vulnerabilities disclosed by external researchers (8 medium- and 10 low-severity) include use-after-free issues, policy bypasses, heap buffer overflows, side-channel information leakage bugs, inappropriate implementations, out-of-bounds writes, insufficient policy enforcement, out-of-bounds memory access, type confusion, insufficient data validation, and incorrect security UI in progressive web apps (PWAs).
The updated browser is available for download as Chrome 84.0.4147.89 for Windows, Mac, and Linux machines and should roll out to existing users over the following days or weeks.