Google has announced the release of a new version of the Chrome browser. In the release 78.0.3904.70, developers eliminated more than three dozen of vulnerabilities, and also added a number of mechanisms that increase the user’s security, but have not yet activated DNS-over-HTTPS support.
Applications for Windows, macOS and Linux will be automatically updated at the next launch, and mobile versions, as usual, will receive updates later.
“The Chrome team is delighted to announce the promotion of Chrome 78 to the stable channel for Windows, Mac and Linux. Chrome 78.0.3904.70 contains a number of fixes and improvements — a list of changes is available in the log”, — write Chrome developers.
In a fresh release, the creators of the program patched 37 bugs, some of which were identified by the internal testing team, and the rest were found by third-party experts.
Google paid $35 thousand for information about two vulnerabilities discovered by Semmle Security’s information security analyst Man Yue Mo.
The first bug, which received the identifier CVE-2019-13699, is associated with a use-after-free error when displaying media content, and the second, registered as CVE-2019-13700, refers to a buffer overflow in the Blink engine.
Another serious drawback gave an attacker the ability to spoof URLs in browser navigation elements. Independent information security specialist David Erceg found an error that can be tracked by identifier CVE-2019-13701. As part of the bug bounty program, Google paid the researcher $1 thousand.
The remaining bugs fixed in the 78th version of Chrome have a medium and low threat level. Vulnerabilities are associated with buffer overflow, reading outside the permissible memory range, escalation of privileges, and other errors.
Starting with this browser release, Google should have started testing the DNS-over-HTTPS (DoH) mechanism on all platforms except Linux and iOS. This is an experimental protocol, the use of which reduces the likelihood of intercepting DNS permissions through a man-in-the-middle attack, since data is transmitted over a secure HTTPS channel.
“This experiment will be done in collaboration with DNS providers who already support DoH, with the goal of improving our mutual users’ security and privacy by upgrading them to the DoH version of their current DNS service. With our approach, the DNS service used will not change, only the protocol will”, — writes Kenji Baheux, Chrome Product Manager.
However, browser developers have delayed the inclusion of this option to version 79.
Another experimental innovation was put into operation on schedule: in the 78th release of the browser, was launched the internal service of Password Leak Detection, designed to alert the user about a possible password theft. If this feature is enabled, Chrome checks all stored private keys against a database of compromised credentials and displays a notification when it finds a match.
A similar opportunity appeared in the 70th version of Firefox, released a few days earlier. The mechanism, implemented as a plugin, is called Lockwise and is activated by default in the latest browser release.