Chrome 80 Released With 56 Security Fixes, Cookie Changes, More

[javajolt]

Google has released Chrome 80 today, February 4th, 2020, to the Stable desktop channel for the Windows, macOS, Linux, Chrome OS, iOS, and Android platforms with bug fixes, new features, and 56 security fixes.

Included are new features such as a new secure-by-default cookie classification system, auto-upgraded mixed content, text URL fragments, SVG favicons, and more.

Windows, Mac, and Linux desktop users can upgrade to Chrome 80.0.3987.87 by going to Settings -> Help -> About Google Chrome and the browser will automatically check for the new update and install it when available. Android and iOS users can update Chrome from their respective App stores.

Google Chrome 80

With Chrome 80 now being promoted to the Stable channel, Chrome 81 will soon (February 13th) be the Beta version and Chrome 82 will be the Canary version.

A full list of all security fixes in this release is available in the Chrome 80 changelog, while the Chromium browser changes for Chrome 80 are listed here.

SameSite Cookie Changes

The highlight of the Google Chrome 80 version is the enforcing of a secure-by-default cookie classification system designed to treat cookies without a SameSite value SameSite=Lax cookies.

According to Google, only cookies set as SameSite=None; Secure will be available in third-party contexts, with the condition of being accessed from secure connections.

This change was announced in May 2019, when Google also published developer guidance for securing sites by marking cross-site cookies. This was followed by a subsequent reminder with additional context issued in October 2019.

Firefox also implemented this new behavior starting with version 69 and plans to make it a default behavior in the future. Microsoft is also planning to change the default cookie behavior starting with Edge 80.

"The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initially limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday," according to the Chromium Project.

A detailed explanation of what the new SameSite cookie changes are all about is available in the video embedded below.

Auto-upgraded mixed content

Chrome 80 also auto-upgrades optionally-blockable mixed content (HTTP content in http sites) by automatically rewriting the URL to http, without providing an HTTP fallback and blocking them by default if they fail to load over http://.

In this release, only audio and video content will be upgraded with mixed images still being allowed to load. They will, however, be marked with a 'Not Secure' chip in the Omnibox.

"Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning," Google says.


Mixed content marked as insecure (Google)

SVG favicons and text URL fragments

Chrome 80 also adds support for using scalable SVG images as favicons which should reduce the number of such resources required for a website or app.

For instance, designers can use hand-tuned icons for smaller sizes and a scalable SVG icon for all other sizes needed across the site.

The new Chrome version also enables authors and users to link to a specific portion of a webpage by adding a text fragment from the page to the website URL.

When that page is loaded in the browser, that text will be highlighted and Chrome will automatically scroll the fragment into view.

Developer tools changes

Chrome 80 also comes with a selection of DevTools changes and improvements including but not limited to:

   • Support for let and class redeclarations

   • Improved WebAssembly debugging

   • Network Panel updates

   • Request Initiator Chains in the Initiator tab

   • URL and path columns in the Network panel

   • Updated User-Agent strings

   • New configuration UI

   • Per-function or per-block coverage modes

A detailed blog post on what's new in Chrome 80's developer tools is available here.

A video presentation of the changes Chrome 80 brings for developers is embedded below.

Chrome 80 also comes with a long list of deprecated and removed features available on the Chrome Platform Status page.

56 security vulnerabilities fixed

The Chrome 80 release fixes 56 security vulnerabilities, with the following discovered by external researchers:

• High CVE-2020-6381: Integer overflow in JavaScript. Reported by The UK's National Cyber Security Centre (NCSC) on 2019-12-09

• High CVE-2020-6382: Type Confusion in JavaScript. Reported by Soyeon Park and Wen Xu from SSLab, Gatech on 2019-12-08

• High CVE-2019-18197: Multiple vulnerabilities in XML. Reported by BlackBerry Security Incident Response Team on 2019-11-01

• High CVE-2019-19926: Inappropriate implementation in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16

• High CVE-2020-6385: Insufficient policy enforcement in storage. Reported by Sergei Glazunov of Google Project Zero on 2019-12-18

• High CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite. Reported by Richard Lorenz, SAP on 2020-01-03

• High CVE-2020-6387: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16

• High CVE-2020-6388: Out of bounds memory access in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-16

• High CVE-2020-6389: Out of bounds write in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-01-16

• High CVE-2020-6390: Out of bounds memory access in streams. Reported by Sergei Glazunov of Google Project Zero on 2020-01-27

• Medium CVE-2020-6391: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-24

• Medium CVE-2020-6392: Insufficient policy enforcement in extensions. Reported by Microsoft Edge Team on 2019-12-03

• Medium CVE-2020-6393: Insufficient policy enforcement in Blink. Reported by Mark Amery on 2019-12-17

• Medium CVE-2020-6394: Insufficient policy enforcement in Blink. Reported by Phil Freo on 2019-10-15

• Medium CVE-2020-6395: Out of bounds read in JavaScript. Reported by Pierre Langlois from Arm on 2019-11-08

• Medium CVE-2020-6396: Inappropriate implementation in Skia. Reported by William Luc Ritchie on 2019-12-18

• Medium CVE-2020-6397: Incorrect security UI in sharing. Reported by Khalil Zhani on 2019-11-22

• Medium CVE-2020-6398: Uninitialized use in PDFium. Reported by pdknsk on 2019-12-09

• Medium CVE-2020-6399: Insufficient policy enforcement in AppCache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07

• Medium CVE-2020-6400: Inappropriate implementation in CORS. Reported by Takashi Yoneuchi (@y0n3uchy) on 2019-12-27

• Medium CVE-2020-6401: Insufficient validation of untrusted input in Omnibox. Reported by Tzachy Horesh on 2019-10-24

• Medium CVE-2020-6402: Insufficient policy enforcement in downloads. Reported by Vladimir Metnew (@vladimir_metnew) on 2019-11-28

• Medium CVE-2020-6403: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-09-19

• Medium CVE-2020-6404: Inappropriate implementation in Blink. Reported by kanchi on 2019-11-13

• Medium CVE-2020-6405: Out of bounds read in SQLite. Reported by Yongheng Chen(Ne0) & Rui Zhong(zr33) on 2020-01-15

• Medium CVE-2020-6406: Use after free in audio. Reported by Sergei Glazunov of Google Project Zero on 2020-01-15

• Medium CVE-2019-19923: Out of bounds memory access in SQLite. Reported by Richard Lorenz, SAP on 2020-01-16

• Low CVE-2020-6408: Insufficient policy enforcement in CORS. Reported by Zhong Zhaochen of andsecurity.cn on 2019-11-20

• Low CVE-2020-6409: Inappropriate implementation in Omnibox. Reported by Divagar S and Bharathi V from Karya Technologies on 2019-12-26

• Low CVE-2020-6410: Insufficient policy enforcement in navigation. Reported by evi1m0 of Bilibili Security Team on 2018-09-07

• Low CVE-2020-6411: Insufficient validation of untrusted input in Omnibox. Reported by Khalil Zhani on 2019-02-07

• Low CVE-2020-6412: Insufficient validation of untrusted input in Omnibox. Reported by Zihan Zheng (@zzh1996) of University of Science and Technology of China on 2019-05-30

• Low CVE-2020-6413: Inappropriate implementation in Blink. Reported by Michał Bentkowski of Securitum on 2019-09-19

• Low CVE-2020-6414: Insufficient policy enforcement in Safe Browsing. Reported by Lijo A.T on 2019-11-06

• Low CVE-2020-6415: Inappropriate implementation in JavaScript. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-11-30

• Low CVE-2020-6416: Insufficient data validation in streams. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2019-12-08

• Low CVE-2020-6417: Inappropriate implementation in installer. Reported by Renato "Wrath" Moraes and Altieres "FallenHawk" Rohr on 2019-12-13

source