Jump to content

Google Chrome 87.0.4280.88 Dual x86x64 Silent


Recommended Posts

 

Chrome-navegar.jpg

 

Google heeft versie 87 van zijn webbrowser Chrome uitgebracht. Google Chrome is beschikbaar voor Windows, Linux en macOS. Er zijn ook versies voor Android en iOS, maar die volgen een iets ander releaseschema. In versie 87 zijn onder meer verbeteringen aangebracht die voor betere prestaties en accuduur moeten zorgen. De belangrijkste veranderingen die in versie 87 zijn aangebracht, naast de gebruikelijke bug- en security fixes, zijn hieronder voor je op een rijtje gezet.

Faster to start, faster to load, and way more battery life

This month's update represents the largest gain in Chrome performance in years, thanks to many under-the-hood improvements. Here’s what’s starting to roll out today:

  • Chrome now prioritizes your active tabs vs. everything that’s open—reducing CPU usage by up to 5x and extending battery life by up to 1.25 hours (based on our internal benchmarks).
  • Chrome now starts up to 25 percent faster, loads pages up to 7 percent faster, and does all of this using less power and RAM than before.
  • Chrome on Android now loads pages near instantaneously when you navigate backward and forward, making these common tasks super fast.
Tabs: pin ‘em, group ‘em, and now search ‘em

Many people use tabs to organize their stuff online—from read-worthy articles, to sources of inspiration, to everyday to-do’s. This range of utility is why you can pin tabs (for those go-to pages), send tabs to your other devices and even group tabs in Chrome. This month we're adding tab search to the toolbox.

You’ll now be able to see a list of your open tabs—regardless of the window they’re in—then quickly type to find the one you need. It’s search … for your tabs! The feature is coming first to Chromebooks, then to other desktop platforms soon.

Taking action directly from the address bar

The address bar is one of those multi-sport athletes in Chrome: you can type a search, a URL, or just tap on a suggestion, and it gets you where you’d like to go. In fact, we call it the "omnibox" inside of Google (#TheMoreYouKnow).

In this release, we’re expanding what you can do in the address bar with Chrome Actions—a faster way to get things done with just a few keystrokes. For example: when you type “edit passwords,” or “delete history,” you can now take action directly from the bar. Our first set of actions—available initially on desktop—focuses on privacy and security, so you can increase your peace of mind in a few clicks.

A way to pick up where you left off

You know when you find that delicious recipe online, then you can't find it again when it’s time to cook dinner? We’ve heard similar stories from lots of people, for lots of different scenarios.

To help you jump back into activities like planning a meal, researching a holiday gift, or winding down with a video, we'll soon add cards to your new tab page in Chrome. Clicking on them will take you to recently-visited and related content on the web, and save you time in the process

We’re starting with a few experiments in areas like cooking and shopping, and we plan to add entertainment early next year. This is a definitely a new type of experience in Chrome, so we welcome your feedback.

Tab throttling and Occlusion Tracking

Knowing what tabs you’re using helps Chrome manage your computer’s resources more efficiently to get things done. We’ve made significant improvements by preventing background tabs from waking up your CPU too often, and no longer rendering tabs that you can’t see.

We investigated how background tabs use system resources and found that JavaScript Timers represent >40% of the work in background tabs. Reducing their impact on CPU and power is important to make the browser more efficient. Beginning in M87, we’re throttling JavaScript timer wake-ups in background tabs to once per minute. This reduces CPU usage by up to 5x, and extends battery life up to 1.25 hours in our internal testing. We’ve done this without sacrificing the background features that users care about, like playing music and getting notifications.

Next, we’re bringing Occlusion Tracking--which was previously added to Chrome OS and Mac--to Windows, which allows Chrome to know which windows and tabs are actually visible to you. With this information, Chrome can optimize resources for the tabs you are using, not the ones you’ve minimized, making Chrome up to 25% faster to start up and 7% faster to load pages, all while using less memory.

These updates will be gradually rolling out in M87 and our next release, M88.

Back/forward cache

How many times have you visited a website and clicked a link to go to another page, only to realize it's not what you wanted and click the back button? On mobile devices, this happens a lot: 1 in 5 navigations are a back/forward navigation. This is where a back/forward cache shines! It’s a browser optimization which enables instant back and forward navigations. In Chrome 87, our back/forward cache will make 20% of those back/forward navigations instant, with plans to increase this to 50% through further improvements and developer outreach in the near future. Here is how it works:

Back/forward cache is one of our long wished-for feature requests in Chrome and now with Chrome 87 we will gradually launch it to Chrome for Android users. Head over to this technical article to learn more about how we added back/forward cache within Chrome's multi-process architecture and if you're a web developer, learn how to make the most of the back/forward cache on your website.

 

Chrome-87-1.jpg

Google Chrome 87.0.4280.88Dual x86x64 Silent 

Password: damas

 

 

Edited by 大†Shinegumi†大
Link to post
Share on other sites
  • 3 weeks later...

The stable channel has been updated to 78.0.3904.87 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.

 

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 
This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
 
[$7500][1013868] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12
[$TBD][1019226] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
 
Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild.

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
 
 

 

A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
 
 
Srinivas Sista
Google Chrome
Link to post
Share on other sites

56 security vulnerabilities fixed

The Chrome 80 release fixes 56 security vulnerabilities, with the following discovered by external researchers:

• High CVE-2020-6381: Integer overflow in JavaScript. Reported by The UK's National Cyber Security Centre (NCSC) on 2019-12-09
• High CVE-2020-6382: Type Confusion in JavaScript. Reported by Soyeon Park and Wen Xu from SSLab, Gatech on 2019-12-08
• High CVE-2019-18197: Multiple vulnerabilities in XML. Reported by BlackBerry Security Incident Response Team on 2019-11-01
• High CVE-2019-19926: Inappropriate implementation in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
• High CVE-2020-6385: Insufficient policy enforcement in storage. Reported by Sergei Glazunov of Google Project Zero on 2019-12-18
• High CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite. Reported by Richard Lorenz, SAP on 2020-01-03
• High CVE-2020-6387: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
• High CVE-2020-6388: Out of bounds memory access in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-16
• High CVE-2020-6389: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16
• High CVE-2020-6390: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
• Medium CVE-2020-6391: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-24
• Medium CVE-2020-6392: Insufficient policy enforcement in extensions. Reported by Microsoft Edge Team on 2019-12-03
• Medium CVE-2020-6393: Insufficient policy enforcement in Blink. Reported by Mark Amery on 2019-12-17
• Medium CVE-2020-6394: Insufficient policy enforcement in Blink. Reported by Phil Freo on 2019-10-15
• Medium CVE-2020-6395: Out of bounds read in JavaScript. Reported by Pierre Langlois from Arm on 2019-11-08
• Medium CVE-2020-6396: Inappropriate implementation in Skia. Reported by William Luc Ritchie on 2019-12-18
• Medium CVE-2020-6397: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-11-22
• Medium CVE-2020-6398: Uninitialized use in PDFium. Reported by pdknsk on 2019-12-09
• Medium CVE-2020-6399: Insufficient policy enforcement in AppCache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
• Medium CVE-2020-6400: Inappropriate implementation in CORS. Reported by Takashi Yoneuchi (@y0n3uchy) on 2019-12-27
• Medium CVE-2020-6401: Insufficient validation of untrusted input in Omnibox. Reported by Tzachy Horesh on 2019-10-24
• Medium CVE-2020-6402: Insufficient policy enforcement in downloads. Reported by Vladimir Metnew (@vladimir_metnew) on 2019-11-28
• Medium CVE-2020-6403: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-19
• Medium CVE-2020-6404: Inappropriate implementation in Blink. Reported by kanchi on 2019-11-13
• Medium CVE-2020-6405: Out of bounds read in SQLite. Reported by Yongheng Chen(Ne0) & Rui Zhong(zr33) on 2020-01-15
• Medium CVE-2020-6406: Use after free in audio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-15
• Medium CVE-2019-19923: Out of bounds memory access in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16
• Low CVE-2020-6408: Insufficient policy enforcement in CORS. Reported by Zhong Zhaochen of andsecurity.cn on 2019-11-20
• Low CVE-2020-6409: Inappropriate implementation in Omnibox. Reported by Divagar S and Bharathi V from Karya Technologies on 2019-12-26
• Low CVE-2020-6410: Insufficient policy enforcement in navigation. Reported by evi1m0 of Bilibili Security Team on 2018-09-07
• Low CVE-2020-6411: Insufficient validation of untrusted input in Omnibox. Reported by Khalil Zhani on 2019-02-07
• Low CVE-2020-6412: Insufficient validation of untrusted input in Omnibox. Reported by Zihan Zheng (@zzh1996) of University of Science and Technology of China on 2019-05-30
• Low CVE-2020-6413: Inappropriate implementation in Blink. Reported by Michał Bentkowski of Securitum on 2019-09-19
• Low CVE-2020-6414: Insufficient policy enforcement in Safe Browsing. Reported by Lijo A.T on 2019-11-06
• Low CVE-2020-6415: Inappropriate implementation in JavaScript. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-11-30
• Low CVE-2020-6416: Insufficient data validation in streams. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2019-12-08
• Low CVE-2020-6417: Inappropriate implementation in installer. Reported by Renato "Wrath" Moraes and Altieres "FallenHawk" Rohr on 2019-12-13

Link to post
Share on other sites

The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.



 

A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

 
Security Fixes and Rewards

 
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 
This update includes 3 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
 
[$5000][1044570] High: Integer overflow in ICU. Reported by André Bargull on 2020-01-22
[N/A][1045931] High CVE-2020-6407: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
 
This release also contains:
[N/A][1053604] High CVE-2020-6418: Type confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18
 
Google is aware of reports that an exploit for CVE-2020-6418 exists in the wild.
 
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Link to post
Share on other sites

The stable channel has been updated to 80.0.3987.162 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.




 

A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
 
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 
This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
 
[$TBD][1062247] High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17
[$TBD][1061018] High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-12
[$N/A][1059764] High CVE-2020-6452: Heap buffer overflow in media. Reported by asnine on 2020-03-09
 
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1066247] Various fixes from internal audits, fuzzing and other initiatives
Link to post
Share on other sites

The stable channel has been updated to 80.0.3987.163 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.


 

A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Link to post
Share on other sites

The Chrome team is delighted to announce the promotion of Chrome 81 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.


Chrome 81.0.4044.92 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 81.


 

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


 

This update includes 32 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.


 

[$7500][1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
[$5000][1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
[$3000][1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
[$2000][1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
[$2000][1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
[$1000][852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
[$1000][965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
[$1000][1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
[$500][1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
[$N/A][1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
[$TBD][1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
[$500][639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
[$500][714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
[$500][868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
[$500][894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
[$500][959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
[$500][1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
[$500][1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
[$N/A][922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
[$N/A][933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
[$N/A][933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
[$N/A][991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
[$N/A][1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26


 

Thanks also to Hosein Askari for identifying a vulnerability with the Chromium website.


 

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1067891] Various fixes from internal audits, fuzzing and other initiatives


 

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
 
Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
 
Thank you,
Prudhvikumar Bommana
Link to post
Share on other sites

The stable channel has been updated to 81.0.4044.113 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
 A list of all changes is available in the log. Interested in switching release channels?  Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
 Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 This update includes 1 security fix. Please see the Chrome Security Page for more information.
 [$TBD][1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04
 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Link to post
Share on other sites

The stable channel has been updated to 81.0.4044.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.





A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

 
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
 
This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
 
[$20000][1065298] High CVE-2020-6459: Use after free in payments. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-27
[$15000][1063566] High CVE-2020-6460: Insufficient data validation in URL formatting. Reported by Anonymous on 2020-03-21
[$5000][1067270] High CVE-2020-6458: Out of bounds read and write in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-04-02
 
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1072815] Various fixes from internal audits, fuzzing and other initiatives
Link to post
Share on other sites

The stable channel has been updated to 81.0.4044.138 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.





A list of all changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
 

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

 

This update includes 3 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

 

[$N/A][1073602] High CVE-2020-6831: Stack buffer overflow in SCTP. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-22
[$7500][1071059] High CVE-2020-6464: Type Confusion in Blink. Reported by Looben Yang on 2020-04-15

 

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1077866] Various fixes from internal audits, fuzzing and other initiatives
Link to post
Share on other sites

Other developer features in this release include:

  • ARIA Annotations: New ARIA annotations support screen reader accessibility for comments, suggestions, and text highlights with semantic meanings (similar to <mark>). Additionally, related information can now be tied semantically to an element allowing descriptions, definitions, footnotes, and comments to be tied to another element.
  • ‘auto’ keyword for ‘-webkit-appearance’ CSS property: The -webkit-appearance CSS property has a new auto keyword, which indicates the default appearance of the target element. This is a step on the way to replacing the nonstandard -webkit-appearance property with a future fully standardized appearance property.
  • Barcode Detection API: Chrome now supports the Barcode Detection API, a subset of the Shape Detection API which provides the ability to detect and decode barcodes in an image provided by a script. The image may come from any type of image buffer source such as an <image>, <video>, or <canvas>tag. Previously, supporting barcode detection on a web page required inclusion of a large third-party library. This API is only available on devices with Google Play Services installed and is not available on uncertified devices.
  • CSS contain-intrinsic-size: The contain-intrinsic-size property allows developers to specify a placeholder size which would be used while contain: size is applied. With contain-intrinsic-size specified, elements lay out as if they had a single child with fixed size, the one specified by this property, unless they have an explicit width/height. The motivation for the property is to provide a placeholder sizing for subtree content which is either not yet available or not rendered. There was previously no way to provide this other than sizing the element itself which may not be desirable as it affects how the element lays out in its container. Examples are available from the WICG.
  • CSS Color Adjust: Many operating systems now have a “dark mode” preference. Some browsers already offer an option to transform web pages into a dark theme. The prefers-color-scheme media query lets authors support their own dark theme so they have full control over experiences they build. The meta tag lets a site explicitly opt-in to fully supporting a dark theme so that the browser loads a different user agent sheet and not ever apply transformations.
  • display:inline-grid/grid/inline-flex/flex for <button>: The display keywords inline-grid, grid, inline-flex, and flex now function with the <button>element when the align property is applied. (Demo)
  • ES Modules for shared workers (‘module’ type option): JavaScript now supports modules in shared workers. Setting module type by the constructor’s type attribute, worker scripts are loaded as ES modules and the import statement is available in worker contexts. With this feature, web developers can more easily write programs in a composable way and share them among a page and workers.
  • Improvements to font-display: A few changes have been made to the way font-display works on Chrome. Setting font-display to optional no longer causes relayout. Web font preloading is allowed to slightly block rendering (for all font-display values), so that if the font loads fast enough, Chrome doesn’t need to render with fallback.
  • IndexedDB relaxed durability transactions: IDBDatabase.transaction() now accepts an optional durability argument to control flushing of data to storage. This allows developers to explicitly trade off durability for performance. Previously after writing an IndexedDB transaction, Firefox did not flush to disk but Chrome did. This provided increased durability by guaranteeing that data is written to the device’s disk rather than merely to an intermediate OS cache. Unfortunately, this comes with a significant performance cost. Valid options are "default", "strict", and "relaxed". The "default" option uses whatever behavior is provided by the user agent and is currently the default. An example is shown below. The current value may be read using IDBTransaction.durability.
  • Out-Of-Renderer Cross-Origin Resource Sharing: Out-Of-Renderer Cross-Origin Resource Sharing (OOR-CORS) is a new CORS implementation that inspects network accesses. Chrome’s previous CORS implementation was only available to Blink core parts, XHR, and Fetch APIs, while a simplified implementation was used in other parts of the application. HTTP requests made by some internal modules could not be inspected for CORS at all. The new implementation addresses these shortcomings.
  • Reversed range for <input type=time>: Chrome now supports reversed ranges for <input> elements whose type is time, allowing developers to express time inputs that cross midnight. A reversed range is one where the maximum is less than the minimum. In this state, the input allows values that are less than the minimum or greater than the maximum, but not between them. This functionality has been in the specification for many years, but has not yet been implemented in Chrome.
  • Support “JIS-B5” and “JIS-B4” @page: Chrome now supports two page sizes for the @page rule, both listed in the CSS Paged Media Module Level 3 spec.
  • @supports selector() feature query function: The new @supports function provides feature detection for CSS selectors. Web authors can use this feature to query whether the UA supports the selector before they actually try to apply the specified style rules matching the selector.
  • RTCPeerConnection.canTrickleIceCandidates: The canTrickleIceCandidatesboolean property indicates whether a remote peer is capable of handling trickle candidates. It exposes information from the SDP session description.
  • RTCRtpEncodingParameters.maxFramerate: This encoding parameter allows developers to limit the framerate on a video layer before sending. Use RTCRtpSender.setParameters() to set the new framerate, which takes effect after the current picture is complete. Read it back using RTCRtpEncodingParameters.maxFramerate. Setting maxFramerate to 0 freezes the video on the next frame.
  • RTCRtpSendParameters.degradationPreference: A new attribute for RTCRtpSendParameters called degradationPreference allows developers to control how quality degrades when constraints such as bandwidth or CPU prevent encoding at the configured frame rate and resolution. For example, on a screen share app, users will probably prefer screen legibility over animations. On a video conference users likely prefer a smooth frame rate over a higher resolution. Valid values for degradationPreference are "maintain-framerate", "maintain-resolution", and "balanced".
  • WebXR DOM Overlay: DOM overlay is a feature for immersive AR on handheld devices that lets two-dimensional page content be shown as an interactive transparent layer on top of the WebXR content and camera image. With this feature, developers can use the DOM to create user interfaces for WebXR experiences. For VR, inline sessions are by definition within the DOM. For AR, though, there is no inline mode, making this particularly important for certain use cases. To try the feature, use one of the two samples in Chrome 83. This feature is currently only available on ARCore-based handheld devices.

For a full rundown of what’s new, check out the Chrome 83 milestone hotlist.

Link to post
Share on other sites

This update includes 38 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. 

  • [$TBD][1103195] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
  • [$5000][1074317] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
  • [$5000][1084820] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
  • [$2000][1091404] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
  • [$TBD][1076703] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30 
  • [$TBD][1082755] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
  • [$TBD][1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2020-06-08
  • [$TBD][1095560] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
  • [$3000][986051] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
  • [$3000][1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
  • [$1000][1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
  • [$500][1075734] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
  • [$TBD][1052093] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
  • [$N/A][1080481] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
  • [$N/A][1081722] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
  • [$N/A][1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
  • [$1000][1074340] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
  • [$500][992698] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
  • [$500][1063690] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
  • [$N/A][978779] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
  • [$N/A][1016278] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
  • [$TBD][1042986] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
  • [$N/A][1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
  • [$N/A][1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
  • [$TBD][1073409] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
  • [$TBD][1080934] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes: 
  • [1105224] Various fixes from internal audits, fuzzing and other initiatives
Link to post
Share on other sites

Correcciones de seguridad

Chrome 85 implementa 20 correcciones de seguridad. Investigadores externos encontraron lo siguiente:

  • [$ N / A] [ 1109120 ] Alto CVE-2020-6558: Cumplimiento de políticas insuficiente en iOS. Reportado por Alison Huffman, Microsoft Browser Vulnerability Research el 2020-07-24
  • [$ TBD] [ 1116706 ] Alto CVE-2020-6559: usar después de la API gratuita en la presentación. Reportado por Liu Wei y Wu Zekai de Tencent Security Xuanwu Lab el 2020-08-15
  • [$ 5000] [ 1108181 ] Medio CVE-2020-6560: Cumplimiento de políticas insuficiente en la función de autocompletar. Reportado por Nadja Ungethuem de www.unnex.de el 2020-07-22
  • [$ 1000] [ 932892 ] Medio CVE-2020-6561: Implementación inapropiada en la Política de seguridad de contenido. Reportado por Rob Wu el 2019-02-16
  • [$ 1000] [ 1086845 ] Medio CVE-2020-6562: Cumplimiento de políticas insuficiente en Blink. Reportado por Masato Kinugawa el 2020-05-27
  • [$ 1000] [ 1104628 ] Medio CVE-2020-6563: Cumplimiento de políticas insuficiente en el manejo de intenciones. Reportado por Pedro Oliveira el 2020-07-12
  • [$ 500] [ 841622 ] Medio CVE-2020-6564: IU de seguridad incorrecta en los permisos. Reportado por Khalil Zhani el 2018-05-10
  • [$ 500] [ 1029907 ] Medio CVE-2020-6565: IU de seguridad incorrecta en Omnibox. Reportado por Khalil Zhani el 2019-12-02
  • [$ N / A] [ 1065264 ] Medio CVE-2020-6566: Cumplimiento de políticas insuficiente en los medios. Reportado por Jun Kokatsu, Microsoft Browser Vulnerability Research el 2020-03-27
  • [$ 500] [ 937179 ] Bajo CVE-2020-6567: validación insuficiente de la entrada no confiable en el manejo de la línea de comandos. Reportado por Joshua Graham de TSS el 2019-03-01
  • [$ 500] [ 1092451 ] CVE-2020-6568 bajo: Cumplimiento de políticas insuficiente en el manejo de intenciones. Informado por Yongke Wang (@Rudykewang) y Aryb1n (@ aryb1n) de Tencent Security Xuanwu Lab (Tencent Security Xuanwu Lab) el 2020-06 -08
  • [$ N / A] [ 995732 ] Bajo CVE-2020-6569: Desbordamiento de enteros en WebUSB. Reportado por guaixiaomei el 2019-08-20
  • [$ N / A] [ 1084699 ] Bajo CVE-2020-6570: Fuga de información de canal lateral en WebRTC. Reportado por Signal / Tenable el 2020-05-19
  • [$ N / A] [ 1085315 ] CVE-2020-6571 bajo: IU de seguridad incorrecta en el cuadro multifunción. Reportado por Rayyan Bijoora el 2020-05-21
  • [ 1121299 ] Varias correcciones de auditorías internas, fuzzing y otras iniciativas

Por lo tanto, Google gastó al menos $ 10,000 en recompensas por errores para esta versión, una pequeña cantidad en comparación con su gasto habitual. Como siempre, las correcciones de seguridad por sí solas deberían ser un incentivo suficiente para que actualice.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...