Earlier this week, the Chromium team announced the release of Chrome 76 for the desktop to include Windows, Mac and Linux. As always, the Chrome OS update should follow in roughly a week or so but we have plenty to unpack from the Chrome browser. So, sit back and check out what’s new with Chrome 76 for desktop.
Chrome continues to focus on security. So much so that Google has doubled or even tripled the bounties awarded for finding bugs in the software. Those rewards extend to Chrome OS, as well. Google is offering $150,000 to anyone who can comprise a Chromebook or Chromebox from guest mode.
The latest version of Chrome included quite a few of these rewards stemming from more than a dozen security patches. In all, more than $28,000 was rewarded to the individuals responsible for identifying the vulnerabilities. Here’s a rundown of the bugs and rewards, where applicable. (not all bugs result in monetary compensation.
- [$10000] High CVE-2019-5850: Use-after-free in offline page fetcher. Reported by Brendon Tiszka on 2019-06-21
- [$6000] High CVE-2019-5860: Use-after-free in PDFium. Reported by Anonymous on 2019-04-26
- [$3000] High CVE-2019-5853: Memory corruption in regexp length check. Reported by yngwei(@yngweijw) of IIE Varas and sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19
- [$3000] High CVE-2019-5851: Use-after-poison in offline audio context. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-06-20
- [$TBD] High CVE-2019-5859: res: URIs can load alternative browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03
- [$5000] Medium CVE-2019-5856: Insufficient checks on filesystem: URI permissions. Reported by Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com) on 2019-05-17
- [$N/A] Medium CVE-2019-5863: Use-after-free in WebUSB on Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Security Platform Department on 2019-03-19
- [$N/A] Medium CVE-2019-5855: Integer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-20
- [$TBD] Medium CVE-2019-5865: Site isolation bypass from compromised renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11
- [$500] Low CVE-2019-5858: Insufficient filtering of Open URL service parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07
- [$500] Low CVE-2019-5864: Insufficient port filtering in CORS for extensions. Reported by Devin Grindle on 2019-02-28
- [$TBD] Low CVE-2019-5862: AppCache not robust to compromised renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-26
- [$TBD] Low CVE-2019-5861: Click location incorrectly checked. Reported by Robin Linus ( robinlinus.com ) on 2019-04-10
- [$N/A] Low CVE-2019-5857: Comparison of -0 and null yields crash. Reported by cloudfuzzer on 2019-05-09
- [$N/A] Low CVE-2019-5854: Integer overflow in PDFium text rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23
- [$TBD] Low CVE-2019-5852: Object leak of utility functions. Reported by David Erceg on 2019-06-19
Hat’s off to these individuals and teams for keeping our beloved browser safe and secure. Keep up the good work.
Incognito goes incognito
In a controversial change, Chrome’s Incognito Mode will no longer report to the site that you’re browsing that you are incognito. This comes to the dismay of many publishers who leverage the now broken API to implement paywalls and prevent users from consuming more than a handful of articles.
Progressive Web Apps continue their expansion across the web and Chrome has embraced them wholeheartedly. If a website meets the given criteria, a new “install” button will appear in the right side of the Omnibox(URL bar) prompting users to install the sites PWA. Below, you can see an example of the flow from Hulu. The site will now be installed as a PWA and act more like a windowed app than a website. If you are on 76, I highly recommend installing Twitter’s PWA.
For mobile, Chrome developers have provided the tools for webmasters to prevent the native PWA install UI in favor of their own installation call. Additionally, the Web APK created for mobile will now be checked daily for updates as opposed to the previous check of three days.
Dark Mode the web
Dark Mode is all the rage these days and Chrome is on the bandwagon albeit they’re taking a unique approach. Chrome as an application will have its own Dark Mode across all platforms in the very near future but developers have given us the tools to prepare our websites for optimizing the user experience.
If you are a web developer, this news will likely make you a little warm and fuzzy. You can now use the media query
prefers-color-scheme to serve your website based on the user’s applied theme or “mode.” You can read more on how to implement this into your website on Tom Steiner’s web.dev blog post.
There are a few more changes under the hood of Chrome 76 and you can read about them here if you’re interested. We’ll be on the lookout for Chrome OS 76 to arrive next week and are anxious to see what features make it up the ladder with this update. Stay tuned.
Source: Chrome Releases