Chrome 81 released

[German]Google's developers have released the Chrome 81 on 7 March 2020. The browser update closes 32 security holes in total and comes with the Web NFC API.


Advertising

There was already this German comment here (thanks) – and Bleeping Computer has published this article about it.  

Changes and new features in Chrome 81

The changes in Chrome 81 were announced by the developers for the desktop in this blog post. Chrome 81.0.4044.92 contains a number of fixes and improvements – a list of the changes is available in the Change Log.

Chrome version 82 is skipped due to the COVID 19 crisis. Chrome 83 is scheduled for release in May 2020.

The Chrome browser version 81.0.4044.92 brings fixes for the following vulnerabilities in previous versions:

  • [$7500][1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
  • [$5000][1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
  • [$3000][1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
  • [$2000][1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
  • [$2000][1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
  • [$1000][852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
  • [$1000][965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
  • [$1000][1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
  • [$500][1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
  • [$N/A][1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
  • [$TBD][1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
  • [$500][639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
  • [$500][714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
  • [$500][868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
  • [$500][894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
  • [$500][959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
  • [$500][1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
  • [$500][1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
  • [$N/A][922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
  • [$N/A][933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [$N/A][933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [$N/A][991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
  • [$N/A][1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26

The release note also mentions various fixes from internal audits, fuzzing and other initiatives. Details will not be disclosed by Google for security reasons.

New features in Chrome 81

Bleeping Computer mentions here the new Web NFC API. Chrome 81 can now read and write NFC tags if they come close (5-10 cm) to an NFC-enabled device. In the first approach, however, only the NFC data exchange format NDEF, a lightweight binary message format, is supported.


Advertising

Chrome 81 now automatically tries to load all http embedded image content of a web page over HTTPS and block the content if it cannot be delivered over a secure connection. This means that an image that is not available over HTTPS will not be displayed on the website.

Also starting with this version, there are console warnings for downloads that are delivered insecurely from secure contexts ("Downloads with mixed content"). This includes, for example, downloading a file over HTTP initiated from an HTTPS site. BleepingComputer has created a PoC page, that allows you to test this feature.

Google has planned that TLS 1.0 and 1.1 should be completely removed in Chrome 81. Due to the coronavirus pandemic, Google has decided to postpone the removal up to Chrome 84.

Availability and download

The newest Chrome version for Windows, Mac and Linux will be rolled out to the systems via the automatic update function in the next few days. You can download it here.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in browser, Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *