Google Chrome 90.0.4430.72: Vulnerabilities fixed and HTTPS as standard

Posted on 2021-04-15 by guenni

[German]Google has released Google Chrome 90.0.4430.72 on April 14, 2021. It is a new development branch with some new features. The browser should be updated promptly, as Google closes 37vulnerability. Here is a brief overview.

Advertising

The Google blog has this post with a list of vulnerabilities closed in Chrome 90.0.4430.72 for desktop. Here are some highlighted vulnerabilities that have been fixed.

  • [$20000][1025683] High CVE-2021-21201: Use after free in permissions. Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security Lab on 2019-11-18
  • [$10000][1188889] High CVE-2021-21202: Use after free in extensions. Reported by David Erceg on 2021-03-16
  • [$5000][1192054] High CVE-2021-21203: Use after free in Blink. Reported by asnine on 2021-03-24
  • [$1000][1189926] High CVE-2021-21204: Use after free in Blink. Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander of Seesaw on 2021-03-19
  • [$TBD][1165654] High CVE-2021-21205: Insufficient policy enforcement in navigation. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-01-12
  • [$TBD][1195333] High CVE-2021-21221: Insufficient validation of untrusted input in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • [$5000][1185732] Medium CVE-2021-21207: Use after free in IndexedDB. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-03-08
  • [$3000][1039539] Medium CVE-2021-21208: Insufficient data validation in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on 2020-01-07
  • [$3000][1143526] Medium CVE-2021-21209: Inappropriate implementation in storage. Reported by Tom Van Goethem (@tomvangoethem) on 2020-10-29
  • [$3000][1184562] Medium CVE-2021-21210: Inappropriate implementation in Network. Reported by @bananabr on 2021-03-04
  • [$2000][1103119] Medium CVE-2021-21211: Inappropriate implementation in Navigation. Reported by Akash Labade (m0ns7er) on 2020-07-08
  • [$500][1145024] Medium CVE-2021-21212: Incorrect security UI in Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
  • [$N/A][1161806] Medium CVE-2021-21213: Use after free in WebMIDI. Reported by raven (@raid_akame)  on 2020-12-25
  • [$TBD][1170148] Medium CVE-2021-21214: Use after free in Network API. Reported by Anonymous on 2021-01-24
  • [$TBD][1172533] Medium CVE-2021-21215: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-01-30
  • [$TBD][1173297] Medium CVE-2021-21216: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-02
  • [$500][1166462] Low CVE-2021-21217: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [$500][1166478] Low CVE-2021-21218: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [$500][1166972] Low CVE-2021-21219: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-15

Some vulnerabilities have been given a rating as High. A 0-day bug that was exploited at the Pwn2Own hacker conference was also fixed. Other issues have been tracked down and fixed internally through audits and fuzzing. So the browser should be updated quickly. The Chrome build for Windows, Mac and Linux will be rolled out to systems via the automatic update feature over the next few days. However, you can also download this build here.

New features in Chrome 90.0.4430.72

There is no indication in the change log on the Chromium blog what is new in the 90 development branch. Google announced in this March 2021 blog post that https protocol would be used by default in the Chrome browser starting with version 90. So if a user just types a URL in the address field, it will try to connect via https. Bleeping Computer also points out here that the new browser has improved NAT slipstreaming. For this, corresponding attacks via FTP, HTTP and HTTPS connections on port 554 are blocked.

NAT slipstreaming attacks abuse a router's Application Level Gateway (ALG) feature to gain access to any port on an internal network, potentially giving threat actors access to services normally secured by the router.

This feature has a history, however: Google had blocked the port before, but reopened it after Google received complaints from developers. However, Google found that the port is only used for about 0.00003% of all requests. Due to the low usage, Google is now blocking the port again.

Google Chrome 90 also gets an AV1 encoder to improve performance in video conferencing software using WebRTC. Google cites higher compression efficiency than other types of video encoding (over VP9 and other codecs) as a benefit, reducing bandwidth consumption and improving visual quality. This helps in low-bandwidth networks for video conferencing and screen sharing.

Advertising

The Google Chrome Tab Search feature is being rolled out further in Chrome 90, allowing more users to get this feature without having to enable it via a flag. The Tab Search feature allows users to search your open tabs among all open browser windows to find a specific page. At Bleeping Computer you can read about new features for developers.

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in browser, Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *