Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 84 Brings 38 Security Patches, Resumes CSRF Protection Rollout

Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change.

Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change.

Initially announced in May 2019, the change is meant to provide users with improved protection against cross-site request forgery (CSRF) attacks by making only cookies set as SameSite=None; Secure available in third-party contexts, and only if served over a secure connection.

Google started rolling out the change in February, with the release of Chrome 80, but halted the process in early April due to the COVID-19 pandemic. The release of Chrome 84 resumes the gradual rollout of the protection.

The new browser iteration also improves user protection from abusive notifications, as announced in May. Thus, websites that push abusive notifications will be enrolled in the quieter notifications UI and the notification won’t be displayed to the user.

Instead, a discreet warning will pop up, to notify the user on the blocking of a notification. An alert will also be displayed when Chrome detects websites that attempt to trick users into allowing intrusive notifications.

In Chrome 84, Google also included support for the Web OTP (one-time password) API, which allows the browser to detect incoming one-time passcodes (OTP) received by SMS and automatically fill specific two-factor authentication (2FA) fields. Users will be prompted to allow for the action to take place.

The browser also removes support for the TLS 1.0 and TLS 1.1 protocols, a move that was long announced but postponed due to the coronavirus pandemic. Moreover, it will display warnings when HTTPS sites serve files from HTTP resources.

Chrome 84 also brings 38 patches, including 26 for vulnerabilities reported by external security researchers.

The most severe of these is a critical buffer overflow issue in background fetch. Tracked as CVE-2020-6510, the flaw was reported by Leecraso and Guang Gong of Chinese cybersecurity firm Qihoo 360.

Google also addressed 7 high-severity bugs in its browser, including CVE-2020-6511 (side-channel information leakage in content security policy), CVE-2020-6512 (type confusion in V8), CVE-2020-6513 (heap buffer overflow in PDFium), CVE-2020-6514 (inappropriate implementation in WebRTC), CVE-2020-6515 (use-after-free in tab strip), CVE-2020-6516 (policy bypass in CORS), and CVE-2020-6517 (heap buffer overflow in history).

The remaining vulnerabilities disclosed by external researchers (8 medium- and 10 low-severity) include use-after-free issues, policy bypasses, heap buffer overflows, side-channel information leakage bugs, inappropriate implementations, out-of-bounds writes, insufficient policy enforcement, out-of-bounds memory access, type confusion, insufficient data validation, and incorrect security UI in progressive web apps (PWAs).

The updated browser is available for download as Chrome 84.0.4147.89 for Windows, Mac, and Linux machines and should roll out to existing users over the following days or weeks.

Related: Chrome 83 Brings Enhanced Safe Browsing, New Privacy and Security Controls

Related: GitHub Shares Details on Six Chrome Vulnerabilities

Related: Tens of Malicious Chrome Extensions Used in Global Surveillance Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.