Category Archives: Chrome

Security improvements in Chrome

Google is rolling out some changes to the Chrome web browser that will improve security in several ways. The changes are being spread out across several updates, and exactly when they will arrive on your devices depends on some security-related settings.

Warnings about compromised passwords

When you enter a user ID and password on any web site using Chrome, the browser can check whether that combination is on a list of known-compromised IDs and passwords. Chrome started doing this earlier in 2019, but you had to install the Password Checkup extension to use it. A couple of months ago, Google added this feature to passwords stored in Google accounts, protecting anyone who logs into their Google account in Chrome.

What’s new is that this password protection is now built into Chrome itself, and will now protect all Chrome users by default, regardless of whether they are logged into their Google account.

According to Google, “You can control this feature in the Sync and Google Services section of Chrome Settings.” In my installation of Chrome (version 79.0.3945.88), there’s a new option: Warn you if passwords are exposed in a data breach.

Real-time protection against unsafe sites

Google’s Safe Browsing service provides a continuously-updated list of unsafe sites. When you visit a web site or download a file, Chrome checks the address (URL) against the Safe Browsing list. The file it checks is on your computer, and updated every 30 minutes.

Previously, only a local copy of the unsafe URLs list (updated every 30 minutes by Google) was checked. What’s changed is that a new safe URLs list (stored on your computer and updated by Google) is checked, and if the site you’re visiting isn’t listed as safe, Chrome then checks an unsafe URLs list hosted by Google.

This change allows Chrome to use the most up to date information when deciding whether to warn you about potentially unsafe sites.

You can control this behaviour in Chrome’s settings: Sync and Google Services > Make searches and browsing better.

Expanding predictive phishing protection

When you enter a username and password on a web site, Chrome can check whether you are on a suspected phishing site.

Previously, Chrome only performed this check when you entered Google Account credentials on a web site, and only with the Sync feature enabed. What’s new is that Chrome now checks all passwords stored in Chrome’s password manager, and it does so as long as you’re signed into Chrome, even if Sync is not enabled.

It’s not clear whether there are specific Chrome settings that control this behaviour.

Safe to use

In the blog post announcing these changes, Google is careful to explain that the process of checking your passwords is itself completely secure, and even Google can’t determine your password as part of the process. The other checks that involve sending information to Google’s systems are also secure and private. In other words, you don’t need to worry about any of your information or activity being intercepted or misused, even by Google.

Four security fixes in Chrome 77.0.3865.90

Like it or not, Chrome is the web browser that’s taking over the world. I use Chrome sparingly these days, mainly because recent versions have problems playing streaming video reliably, and because it seems to drain system resources more than other browsers — especially on mobile devices.

Still, Chrome has a lot going for it, and it remains a solid alternative to Firefox and the numerous browsers that, like Chrome, are based on the Chromium engine. Google welcomes — and indeed, rewards — vulnerability reports, and they act quickly to fix and release updates for Chrome.

Chrome 77.0.3865.90 includes fixes for four security vulnerabilities, all of which were reported by researchers not employed by Google. The full change log lists a few minor tweaks and obscure bug fixes.

Check your Chrome version and update it to the latest version by clicking the browser’s ‘three vertical dots’ menu button and navigating to Help > About Google Chrome.

Chrome 77.0.3865.75

On September 10, Google released a new version of Chrome that includes fifty-two fixes for security vulnerabilities. The full change log lists almost seventeen thousand changes in all, so I’m going to assume that there’s nothing in there worth mentioning, aside from the security fixes. Presumably, if Google wanted to highlight any of the changes, they’d be outlined in the official release notes for Chrome 77.0.3865.75.

As is often the case with Chrome security vulnerabilities, many of those addressed in Chrome 77.0.3865.75 were discovered and reported by independent security researchers. There’s a list of those fine folks in the release notes, along with the rewards they earned from Google for their work.

To update Chrome, click its ‘three dots’ menu and navigate to Help > About Google Chrome. If there’s a newer version than the one you’re running, you should see an update link.

Chrome 76.0.3809.132

The latest version of Chrome (Google’s browser, not the open source Chromium project upon which it is based) is 76.0.3809.132. The new version provides fixes for three security vulnerabilities, some of which were discovered and reported by independent researchers.

If you love digging into dry technical details, the Chrome change log is for you. The new version’s log is at least brief. A cursory scan shows nothing particularly interesting.

Chrome usually updates itself, albeit somewhat mysteriously, since Google’s update schedule is unclear and possibly varies widely from update to update. Google’s update mechanisms also occasionally stop working — silently. It’s a good idea to check which version you’re running and install a new version if it’s offered on the Help > About Google Chrome dialog (click the ‘three dot’ menu button at the top right of Chrome’s user interface).

Chrome 76.0.3809.100

Google released another version of Chrome a few days ago, and it includes fixes for four security vulnerabilities. The change log is mercifully brief, but there’s also not much there of interest. The announcement for Chrome 76.0.3809.100 gives credit to non-Google security researchers for discovering two of the vulnerabilities.

Check your version of Chrome by navigating its ‘three dot’ menu to Help > About Google Chrome. If an update is available, you can install it from there.

Chrome 76.0.3809.87 – 43 security fixes

On Tuesday, Google released another new version of Chrome: 76.0.3809.87. The announcement highlights sixteen vulnerabilities, discovered by security researchers not employed by Google, that are addressed in the new version. There are forty-three security fixes in all.

Google has chosen not to highlight any other changes in Chrome 76.0.3809.87, so if you want to know whether anything important changed, your only option is to read the thirteen thousand, five hundred and forty-three entries in the full change log. Good luck with that.

Chrome, uh, finds a way to keep itself updated, and fighting against that is a never-ending and ultimately pointless exercise. What you can do is check your version and thereby trigger an immediate update, by navigating Chrome’s ‘three vertical dots’ menu (at the top right) to Help > About Google Chrome. That way you don’t have to wait for Chrome to update itself, which happens “over the coming days/weeks” according to Google.

Chrome 75.0.3770.142

Two security fixes for Chrome were released earlier this week in the form of Chrome version 75.0.3770.142.

The change log for Chrome 75.0.3770.142 lists one hundred and twenty-eight changes in all, but other than the two fixes for security vulnerabilities, none of them are particularly interesting.

By default, Chrome will update itself in the days following a new release. You can encourage it by navigating its ‘three dot’ menu to Help > About Google Chrome, where an option to update will be shown if one is available.

Chrome 75.0.3770.90

The latest Chrome release features a fix for one security vulnerability. There are about forty-five actual changes listed in the full change log, none of which are particularly noteworthy.

There’s not much of interest in the release announcement for Chrome 75.0.3770.90, although it does point out that the vulnerability was discovered and reported by a non-Google researcher.

Unless you’ve gone to the trouble of disabling Google’s persistent automatic update processes, your installation of Chrome will likely update itself over the next few days.

You can check your version and trigger any pending updates by navigating Chrome’s menu (the ‘three-vertical-dots’ button at the top right) to Help > About Google Chrome.

Chrome 75.0.3770.80

A new version of Chrome includes fixes for forty-two security vulnerabilities.

The full log for Chrome 75.0.3770.80 lists over fourteen thousand changes, so good luck reading all that.

Google did not highlight any of the changes in the announcement for Chrome 75.0.3770.80, which only provides this somewhat cryptic message: “Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 75.”

Check your Chrome version by navigating its ‘three vertical dots’ menu icon (at the top right) to Help > About Google Chrome. If an update is available, it will be offered to you.

Chrome 74.0.3729.157

A new version of Chrome fixes a single security bug. Chrome 74.0.3729.157 was announced and made available on May 14, so it may have already found its way to your computer by way of Google’s rather insistent update mechanisms.

If you’re not sure which version of Chrome you’re running, click that little ‘three vertical dots’ menu button at the top right, and navigate to Help > About Google Chrome. Besides showing you the version of your current installation, this will usually prompt Chrome to check for available updates and offer to install a new version.