Google’s latest version of its browser, Chrome 86, is now being rolled out with 35 security fixes – including a critical bug – and a feature that checks if users have any compromised passwords.
As of Tuesday, Chrome 86 is being promoted to the stable channel for Windows, Mac and Linux and will roll out over the coming days. The versions of the browser for Android and iOS were also released Tuesday, and will become available on Google Play and the App Store this week.
Included in the newest browser version is a critical flaw (CVE-2020-15967) existing in Chrome’s payments component. The flaw, reported by Man Yue Mo of GitHub Security Lab, is a use-after-free vulnerability. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.
Use-after-free bugs have plagued Google Chrome in the past year. In fact, all seven high-severity vulnerabilities fixed by Google in Chrome 86 were use-after-free flaws – ranging from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components (WebRTC is a protocol for rich-media web communication).
Further details of the bugs are not yet available, as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s Tuesday post.
The Android and iOS versions of Chrome 86 will also come with a new security feature, which will send a copy of user’s usernames and passwords using a “special form of encryption.” That then lets Google check them against list of passwords known to be compromised.
“Passwords are often the first line of defense for our digital lives,” Abdel Karim Mardini, senior product manager with Chrome, said in a Tuesday post. “Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.”
At the back end, when Google detects a username and password exposed by a data breach, it stores a strongly hashed and encrypted copy of the data. Then, when Chrome users log into a website, the feature sends a strongly hashed and encrypted version of their username and password to Google – meaning the company never derives usernames or passwords from the encrypted copy, it said.
Google then fetches the encrypted database of every “unsafe” username and password – and shares the same anonymous hash prefix of account detail, ensuring, it said, that the username and password details are not revealed during the process.
Google rolled out an iteration of this feature in 2019, when it unveiled the Password Checkup Chrome extension, to alert Chrome browser users of weak or compromised passwords. The company has now embedded this functionality directly into Chrome for Android and iOS for better ease of use. It has also added support for “well-known/change-password” URLs, letting Chrome take users directly to the right “change password” form after they’ve been alerted that their password has been compromised.
“We notify you when you have compromised passwords on websites, but it can be time-consuming to go find the relevant form to change your password,” said Mardini.
The password-reuse issue continues to be a staple problem in the security industry, and has led to a slew of attacks, most notably credential stuffing. A Google study released in August 2019 – which was actually based on data collected from Google’s Password Checkup Chrome extension – found that 1.5 percent – or 316,000 users – of website logins on the browser are utilizing already-hacked passwords.
Chrome 86 also comes with a slew of other security features, including Safety Check on iOS and Android. This feature is used to check for compromised passwords, tell users if Safe Browsing is enabled and whether the version of Chrome being run is updated with the latest security protections.
Chrome 86 will also include mixed-form warnings on desktop and Android to alert and warn users before submitting a non-secure form that’s embedded in an HTTPS page. And, the browser will now block or warn on some insecure downloads initiated by secure pages.
“Currently, this change affects commonly abused file types, but eventually secure pages will only be able to initiate secure downloads of any type,” according to Google.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.