Chrome 78 With DoH Updated, 37 Security Patches

Posted by Melina Richardson October 23, 2019
Google Chrome

Google launched Chrome 78 this week on a stable channel with a number of enhancements, including a maximum of 37 security fixes for the company’s own and external security researchers ‘ vulnerabilities.

One of the most significant security changes in Chrome 78 is the introduction of DNS-over-HTTPS (DoH) as an experiment to evaluate browser implementation. All compatible platforms, including Linux and iOS, will receive the feature.

Beginning with the new iteration, the browser will alert users to data breaches when their passwords appear with a password manager (Web version) alternative called “Security test for passwords,” which at the moment is also experimental. This needs users to log in and synchronize their account with Google.

Of the 21 recorded patched vulnerabilities, three are rated as high gravity, twelve medium and six were low extreme.

The most important are free use of the media component and a buffer overrun in Blink, both reported by Man Yue Mo from the Semmle Security Research Team.

The faults are reported as CVE-2019-13699 and CVE-2019-13700 and a $20,000 and $15,000 bug bouncing award has been given to the reporting researcher.

The third major issue in this update is CVE-2019-13701, a navigation URL spoofing issue recorded by David Erceg. Google has paid a $1,000 bug bounty.

Some of the most relevant medium-serious issues addressed with the launch of Chrome 78 include Installer privilege elevation (CVE-2019-13702), URL spoofing (CVE-2019-13703), CSP bypass (CVE-2019-13704), bypass by extension authorization (CVE-2019-13705).

Google has also patched Medium risk problems, such as the disclosure of file storage (CVE-2019-13706), Cross-context information leak (CVE-2019-13708) and the expat buffer overflow (CVE-2019-15903) and Cross-Orient data leak (CVE-2019-13713).

Addressed CSS (CVE-2019-13714), address-bar-spoofing(CVE-19-13715), service worker state failure (CVE-2019-13716), blurred alert (CVE-2019-13717 and CVE-2019-13719) and IDN-spoof (CVE-2019-13718) were included in low severity bugs.

The new browser version for Windows, Mac and Linux is now available for download as Chrome 78.0.3904.70.

Melina Richardson
View More Posts
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.