Google this week released Chrome 78 to the stable channel with numerous improvements, including a total of 37 security fixes for vulnerabilities discovered by the company on its own and external security researchers.
One of the most important security changes in Chrome 78 is the introduction of DNS-over-HTTPS (DoH) as an experiment to assess the implementation of this technology in the browser. All supported platforms will receive the feature, except for Linux and iOS.
Starting with the new iteration, the browser can alert users when their passwords appear in data breaches through an option in password manager (web version) called "Check password safety", which is also experimental at the moment. It requires for users to be logged in and their account synced with Google.
Of the 21 patched vulnerabilities that were reported by external researchers, three were rated High severity, twelve Medium, and six Low severity.
The most important of these include a use-after-free in the media component and a buffer overrun in Blink, both reported by Man Yue Mo of the Semmle Security Research Team.
The flaws are tracked as CVE-2019-13699 and CVE-2019-13700, and the reporting researcher received bug bounty rewards of $20,000 and $15,000, respectively.
The third High severity issue addressed in this release is CVE-2019-13701, a URL spoofing issue in navigation reported by David Erceg. Google paid a $1,000 bounty for the bug.
Some of the most important Medium severity issues addressed with the release of Chrome 78 include a privilege elevation in Installer (CVE-2019-13702), URL bar spoofing (CVE-2019-13703), CSP bypass (CVE-2019-13704), extension permission bypass (CVE-2019-13705), and out-of-bounds read in PDFium (CVE-2019-13706).
Support the originator by clicking the read the rest link below.
