Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Chrome Improves Security for Enterprise Use

Chrome’s Site Isolation Feature Renders Each Web Site in a Separate Process

Google is boosting the security of its browser with the release of Chrome 63, which brings a host of enhancements aimed at enterprises and also addresses 37 vulnerabilities.

Chrome’s Site Isolation Feature Renders Each Web Site in a Separate Process

Google is boosting the security of its browser with the release of Chrome 63, which brings a host of enhancements aimed at enterprises and also addresses 37 vulnerabilities.

The new browser iteration, Google says, can better protect enterprises from potential dangers like ransomware, malware, and other vulnerabilities. This is possible because of better process isolation, support for more advanced security standards, and the adoption of new policies.

One of the major enhancements Chrome 63 introduces is Site Isolation, where content for each open website is rendered in a separate process, isolated from the processes of other websites. The browser already includes sandboxing technology, but the new feature should deliver stronger security boundaries between websites.

Now, Chrome also allows IT admins to configure a new policy and restrict access to extensions based on the permissions required. Thus, they can block all extensions that require the use of a webcam or microphone, or those that want to access and modify data on the websites visited.

In an attempt to ensure more secure communication, the new browser release also enables Transport Layer Security (TLS) 1.3 for Gmail. TLS 1.3 support will be expanded to the broader web in 2018, Google reveals.

While Chrome browser users should not be impacted, IT admins can post feedback on any systems that are not interoperable with TLS 1.3. “As admins prepare for the wider use of TLS 1.3, they can configure this policy for network software or hardware that will not transit TLS 1.3 connections,” Google notes.

For the next year, the Internet giant also plans support for the NTLMv2 authentication protocol in Chrome 64, including Extended Protection for Authentication (EPA) on Mac, Android, Linux and Chrome OS. Thus, the same level of security as in Chrome on Windows will be available on all platforms performing NTLM authentication.

IT admins can already enable the feature in chrome://flags/#enable-ntlm-v2, but Google plans on making NTLMv2 the default NTLM protocol starting with Chrome 65. The update makes Chrome the only browser to support NTLMv2 with EPA on non-Windows platforms.

The Internet search company also plans on improving the browser’s stability by blocking third-party software from injecting code into Chrome on Windows.

Because some businesses rely on code injection, however, a new policy set to be introduced in the coming months should provide admins with extended support for critical apps. To check whether their software is injecting into Chrome, admins can visit chrome://conflicts.

Google also included patches for 37 vulnerabilities in Chrome 63, including 19 security flaws reported by external researchers. These include 1 Critical severity, 6 High risk, 7 Medium severity, and 5 Low risk bugs.

The company paid over $46000 to the reporting researchers. The highest bounties were paid for a Critical Out of bounds write in QUIC ($10500), a Heap buffer overflow in PDFium ($6337), two Use after free in PDFium issues ($5000 each), an Out of bounds write in Skia ($5000), and a Use after free in libXML ($3500).

Related: Chrome to Block Apps from Injecting into Its Processes

Related: Chrome 62 Update Patches Serious Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.