Chrome 72 arrives with code injection blocking
Google today launched Chrome 72 for Windows, Mac, and Linux. The release includes code injection blocking and new developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers often must make an effort to stay on top of everything available — as well as what has been deprecated or removed.
This isn’t a major release — there aren’t many new features to cover. Chrome 72 for Windows, however, blocks code injections, reducing crashes caused by third-party software.
The initiative to block code injections in Chrome started last year, with warnings letting users know that Chrome was fighting back. Those warnings are now gone and Chrome blocks code injections full stop.
When Google first announced the move, the company noted that roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome, such as accessibility or antivirus software, and that Chrome users with software that injects code are 15 percent more likely to experience crashes. So Google decided enough was enough.
Android and iOS
Chrome 72 for Android is out, but as usual there is no changelog on Google Play. Chrome 72 for iOS meanwhile is available on Apple’s App Store with the following changelog:
- Support for more search engines. To add another search engine, perform a search on that website in Chrome. Then visit Chrome settings to add the search engine.
- Fixed crashes on some page translations and added translations on previously untranslated websites.
- A Siri Shortcut to start a new search is available.
None of these are massive, but they are certainly welcome.
Security fixes and improvements
Chrome 72 also implements 58 security fixes. The following were found by external researchers:
- [$7500] Critical CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12
- [$5000] High CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10
- [$5000] High CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14
- [$3000] High CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15
- [$3000] High CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11
- [$3000] High CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05
- [$3000] High CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05
- [$3000] High CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13
- [$3000] High CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31
- [$1000] High CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13
- [$1000] High CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09
- [$N/A] High: Use after free in FileAPI. Reported by Mark Brand of Google Project Zero on 2019-01-16
- [$TBD] High CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16
- [$N/A] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-18
- [$N/A] High: Use after free in Payments. Reported by Mark Brand of Google Project Zero on 2018-12-07
- [$N/A] High: Use after free in Mojo interface. Reported by Mark Brand of Google Project Zero on 2018-12-06
- [$N/A] High: Stack buffer overflow in Skia. Reported by Ivan Fratric of Google Project Zero on 2018-10-29
- [$4000] Medium CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20
- [$2000] Medium CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06
- [$2000] Medium CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24
- [$1000] Medium CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11
- [$1000] Medium CVE-2019-5770: Heap buffer overflow in WebGL. Reported by Emailed on 2018-11-27
- [$1000] Medium CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12
- [$500] Medium CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26
- [$N/A] Medium CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com) on 2018-12-24
- [$N/A] Medium CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by ASKED on 2018-11-11
- [$N/A] Medium CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- [$N/A] Medium CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14
- [$N/A] Medium CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04
- [$500] Low CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02
- [$500] Low CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11
- [$500] Low CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03
- [$N/A] Low CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18
- [$N/A] Various fixes from internal audits, fuzzing and other initiatives
Google thus spent at least $50,500 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.
Chrome 72 allows the declaration of public class fields in scripts; support for private class fields is coming soon. To implement public class fields, declare them inside a class declaration but outside of any member functions (they can be either initialized or uninitialized). Declaring class fields is meant to make class definitions more self-documenting and ensure class instances go through fewer transitions.
Next, Chrome 72 implements the User Activation Query API, used for querying whether there has been a user activation. This is useful for APIs that are deliberately restricted to avoid annoying web page behaviors and allows embedded iframes to vet postMessage() calls to determine whether they occurred within the context of a user activation.
Other developer features in this release include:
- Cache API: The
Cache.prototype.addAll()API, which allows multiple entries to be added to the cache at once, previously violated a specification requirement that each request/response pair avoid overwriting another entry being added in the same call. Chrome would resolve such conflicts by storing the later entry and ignoring the earlier one.
Cache.prototype.addAll()now rejects with an
- Intl.ListFormat: The new
Intl.ListFormat() APIhelps libraries and frameworks format a list in a localized fashion by providing internationalized messages using a customary local word or phrase when available.
FetchEvent.resultingClientId, set on navigation requests or requests for workers, is the ID of the client, either a document or a worker, and is created by the request. It’s useful for associating the main resource request from a document with subsequent subresource requests from the same document, for example, for logging and metrics purposes.
- FetchEvents on requests for same-origin favicons: Previously, technical limitations prevented service workers from receiving
FetchEventobjects for favicon requests. Now, service workers will receive
FetchEventobjects as long as the request URL is on the same origin as the service worker.
- MediaStreamTrack resizeMode constraint: A new property controls how the browser derives the resolution of a
MediaStreamTrack. There are two supported values:
"none"(the track has the native resolution provided by the camera, its driver, or the operating system) and
"crop-and-scale"(the browser may use cropping and re-scaling to adjust the resolution of the video produced by the camera). This feature allows applications to improve consistency across browsers, and to use only native resolutions when desired.
- RTC: Chrome now supports
RTCPeerConnection.connectionState, which is an aggregate value computed from the transport states of the peerconnection’s underlying ICE and DTLS transports. It’s intended to provide a more complete overview of the connection state than
RTCPeerConnection.iceConnectionState, which is only supposed to be based on the ICE transports.
- Well-formed JSON.stringify: A Stage 3 ECMAScript proposal changes
JSON.stringify()to prevent it from returning ill-formed Unicode strings. Previously,
JSON.stringify()would output lone surrogates themselves if the input contained any. With this change,
JSON.stringify()outputs escape sequences for lone surrogates, making its output valid Unicode (and representable in UTF-8).
- Worker unhandled exception propagation: For dedicated workers, unhandled errors now propagate to the parent context and the error reporting process begins again one layer up (for example, to the window’s onerror handler). This allows for errors to be propagated up to the original document, giving developers the freedom to choose when and how to handle worker errors.
- Interoperable File.webkitRelativePath property: The
File.webkitRelativePathof the File interface previously returned a value different from other major browsers, now it returns the same value.
- Treat ‘#’ as ending data URI body content: Chrome currently allows ‘#” symbols to exist in the body of a data URI in violation of the URL specification. More specifically, it treats a ‘#’ as both part of the data body and the start of the URL fragment such that there is an overlap between the two components. Chrome now aligns with both the specification and Firefox by treating the first ‘#’ of a data URL as the end of the data body and the start of the fragment.
For a full rundown of what’s new, check out the Chrome 72 milestone hotlist.
Google releases a new version of its browser every six weeks or so. Chrome 73 will arrive by mid-March.