Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said.
Most notably to the browser update are mitigations for Spectre. The fix includes an added feature called Site Isolation that essentially separates the processes between different tabs – so that if one tab crashes, the others will continue to work. This also protects against speculative side-channel CPU vulnerabilities like Spectre because it reduces the amount of data exposed to side channel attacks.
“We’re continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67,” said Chrome in its security release. “Site Isolation improves Chrome’s security and helps mitigate the risks posed by Spectre.”
Bug fixes for Chrome 67 include nine rated high. One of them is an out of bounds memory access bug (CVE-2018-6130) in Web Real Time Communication (WebRTC), which is an open-source project providing web browsers with real-time communication through simple APIs. Google also patched a heap buffer overflow glitch in open source graphics library Skia (CVE-2018-6126) and an overly permissive policy bug (CVE-2018-6125) in the WebUSB API, which provides a way to expose USB device services to the Web. Below is a full list of the vulnerabilities fixed that are rated high.
- CVE-2018-6123: Use after free in Blink.
- CVE-2018-6124: Type confusion in Blink.
- CVE-2018-6125: Overly permissive policy in WebUSB.
- CVE-2018-6126: Heap buffer overflow in Skia.
- CVE-2018-6127: Use after free in indexedDB.
- CVE-2018-6128: uXSS in Chrome on iOS.
- CVE-2018-6129: Out of bounds memory access in WebRTC.
- CVE-2018-6130: Out of bounds memory access in WebRTC.
- CVE-2018-6131: Incorrect mutability protection in WebAssembly.
Part of the Google update also included the introduction of the WebAuthn API into Chrome 67. This API enables users to log into their accounts using alternative methods such as with biometric options ranging from fingerprint readers, iris scans or facial recognition. Mozilla has also recently packaged this feature into Firefox a few weeks ago with the release of Firefox 60.
Finally, the latest version of Chrome has deprecated the browser’s support for HTTP public key pinning; instead adopting the more flexible solution of Expect-CT headers. This plan was first announced in 2017 after Google argued that public key pinning runs the risk of leaving website admins open to difficulties selecting a reliable set of keys to pin to.
Chrome 67 for desktops is currently available. Android and Chrome OS versions will follow soon after.