Google has released Chrome 70, which addresses several high severity security issues, and brings new support for logging in using a device\s fingerprint reader.
Google didn’t announce a new Pixelbook with the rumored addition of a fingerprint reader, but the it did launch the Pixel Slate, which has a fingerprint reader built into the power button, making it the first Chrome OS device that allows users to unlock the device with a fingerprint.
Chrome 70, launched today, builds on Chrome support for the industry-wide Web Authentication standard, which is designed to let browser users sign into websites and web applications using a fingerprint or face scanned by a device’s biometric sensors. It also supports Bluetooth keys, such as Google’s Titan keys.
Chrome 70 is the first version of Chrome that by default allows users to sign in to a site via a MacBook Pro’s Touch ID fingerprint sensor and fingerprint sensors on an Android device.
Google hasn’t detailed what Chrome support for Web Authentication is available for the Chrome OS Pixel Slate, though it’s unlikely it wouldn’t be supported in some way. The Pixel Slate has a built-in Google Titan chip and Web Authentication supports security keys like Google's Titan keys, which come in a variant that connects via USB and another that connects via Bluetooth.
Chrome 70 also introduces recently announced controls to restrict the behavior of Chrome extensions that users can add from the Chrome Web Store. Users will be able to control which extensions can request permission to read and change site data. In conjunction with the new controls, Google also imposed a ban on obfuscated code within extension packages.
Google will announce further features and improvements in the coming weeks, but in the meantime Chrome users should probably update to Chrome 70 because of the 23 security flaws this version plugs.
The update addresses five high severity flaws, including a Sandbox escape in Chrome\s AppCache, and a remote code execution flaw in Chrome\s V8 Java Script engine.
Google has paid out $22,000 to researchers in this update. The flaws addressed are listed below.
[$N/A] High CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
[$N/A] High CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson and Niklas Baumstark working with Beyond Security’s SecuriTeam Secure Disclosure program on 2018-09-25
[$3500] High CVE to be assigned: Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security on 2018-08-08
[$3000] High CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2018-09-20
[$3000] High CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian on 2018-08-02
[$1000] High CVE-2018-17466: Memory corruption in Angle. Reported by Omair on 2018-09-05
[$3000] Medium CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-19
[$2000] Medium CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2018-08-22
[$1000] Medium CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-09-05
[$1000] Medium CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-08-27
[$1000] Medium CVE-2018-17471: Security UI occlusion in full screen mode. Reported by Lnyas Zhang on 2018-08-10
[$1000] Medium CVE-2018-17472: iframe sandbox escape on iOS. Reported by Jun Kokatsu (@shhnjk) on 2018-03-16
[$500] Medium CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-09-08
[$500] Medium CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-15
[$500] Low CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew on 2018-06-14
[$500] Low CVE-2018-17476: Security UI occlusion in full screen mode. Reported by Khalil Zhani on 2018-02-15
[$500] Low CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by Yannic Bonenberger on 2018-01-24
[$N/A] Low CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton <email@example.com> on 2018-07-14