Chrome Release 102

Google has unveiled the release of the Chrome 102 web browser. At the same time, a stable release of the free Chromium project, which is the basis of Chrome, is available. The Chrome browser differs from Chromium in the use of Google logos, the presence of a system for sending notifications in case of a crash, modules for playing copy-protected video content (DRM), an automatic update system, the constant inclusion of Sandbox isolation, the supply of keys to the Google API and transmission when searching for RLZ- parameters. For those who need more time to update, the Extended Stable branch is supported separately, followed by 8 weeks. The next release of Chrome 103 is scheduled for June 21st.

Key changes in Chrome 102:

• To block the exploitation of vulnerabilities caused by accessing already freed memory blocks (use-after-free), the use of the MiraclePtr type (raw_ptr) began instead of ordinary pointers. MiraclePtr provides a pointer binding that performs additional checks for access to freed memory areas and crashes if such accesses are found. The impact of the new protection method on performance and memory consumption is estimated to be negligible. The MiraclePtr mechanism is not applicable in all processes, in particular, it is not used in rendering processes, but it can significantly improve security. For example, in the current release, out of 32 fixed vulnerabilities, 12 were caused by use-after-free class issues.
• The design of the interface with information about downloads has been changed. Instead of the bottom line with data on the download progress, a new indicator has been added to the panel with the address bar, when clicked, the progress of downloading files and a history with a list of already downloaded files are shown. Unlike the bottom bar, the button is permanently displayed on the bar and allows you to quickly access your download history. The new interface has so far been offered by default only to some users and will be extended to all if there are no problems. To return the old interface or enable a new one, the "chrome://flags#download-bubble" setting is provided.
• When searching for images through the context menu ("Search image with Google Lens" or "Find through Google Lens"), the results are now shown not on a separate page, but in a sidebar next to the content of the original page (in one window, you can simultaneously see both the content of the page, and the result of a call to a search engine).
• Added a "Privacy Guide" section in the "Privacy and Security" section of the settings, which provides an overview of the main settings that affect privacy, with detailed explanations of the impact of each setting. For example, in the section you can define a policy for sending data to Google services, manage synchronization, Cookie processing and saving history. The function is offered to some users, you can use the "chrome://flags#privacy-guide" setting to activate it.
• Provided structuring search history and pages viewed. When you try to search again, the hint "Resume your journey" is displayed in the address bar, allowing you to continue the search from the place where it was interrupted last time.
• The Chrome Web Store has an Extensions Starter Kit page with an initial selection of recommended add-ons.
• In test mode, sending a CORS (Cross-Origin Resource Sharing) authorization request with the "Access-Control-Request-Private-Network: true" header to the server of the main site is enabled if a resource on the internal network (192.168.xx) is accessed from the page , 10.xxx, 172.16.xx) or to localhost (128.xxx). When confirming the operation in response to this request, the server should return the "Access-Control-Allow-Private-Network: true" header. In Chrome version 102, the confirmation result does not yet affect the processing of the request - if there is no confirmation, a warning is displayed in the web console, but the subresource request itself is not blocked. Enabling blocking in the absence of confirmation from the server is expected no earlier than the release of Chrome 105. To enable blocking in earlier releases, you can enable the "chrome://flags/#private-network-access-respect-preflight-results" setting.

  Validation by the server was introduced to strengthen protection against attacks related to accessing resources on the local network or on the user's computer (localhost) from scripts that are loaded when the site is opened. Such requests are used by attackers to carry out CSRF attacks on routers, access points, printers, corporate web interfaces, and other devices and services that accept requests only from the local network. To protect against such attacks, if any subresources on the internal network are accessed, the browser will send an explicit request for the authority to download these subresources.

• When opening links in incognito mode through the context menu, some parameters that affect privacy are automatically removed from the URL.
• Changed update delivery strategy for Windows and Android. To better compare the behavior of the new and old releases, multiple builds of the new version are now generated for download.
• Network segmentation technology has been stabilized to protect against methods of tracking user movements between sites based on storing identifiers in areas not intended for permanent storage of information ("Supercookies"). Because resources in a cache are stored in a common namespace, regardless of the origin domain, one site can determine if a resource is being loaded from another site by checking whether the resource is in the cache. Protection is based on the use of Network Partitioning, the essence of which is to add an additional binding of records to the domain from which the main page is opened to the shared caches, which limits the scope of the cache for movement tracking scripts only to the current site (the script from the iframe will not be able to check whether the resource was loaded from another site). State separation covers network connections (HTTP/1, HTTP/2, HTTP/3, websocket), DNS cache, ALPN/HTTP2, TLS/HTTP3 data, configuration, downloads, and information in the Expect-CT header.
• For installed stand-alone web applications (PWA, Progressive Web App), the ability to change the design of the window title area using the Window Controls Overlay components, which expand the screen area of ​​the web application to the entire window, is provided. The web application can control rendering and input processing in the entire window, with the exception of the superimposed block with regular window control buttons (close, minimize, maximize), to give the web application the form of a regular desktop application.
• Added support for generating virtual credit card numbers in the fields with payment details in online stores in the form autofill system. Using a virtual card, the number of which is generated for each payment, allows you not to transfer data about a real credit card, but requires the provision of the necessary service by the bank. Currently, the function can only be used by customers of certain US banks. To control the activation of the function, the setting "chrome://flags/#autofill-enable-virtual-card" is proposed.
• The "Capture Handle" mechanism is activated by default, allowing you to transfer information to applications that capture video. The API makes it possible to organize the interaction between applications whose content is being recorded and applications that are recording. For example, a video conferencing application that captures video for broadcasting a presentation can obtain information about the presentation controls and display them in the video window.
• Support for speculative rules is enabled by default, providing a flexible syntax for determining if link-related data can be proactively loaded before the user clicks on the link.
• The mechanism for packaging resources into packages in the Web Bundle format has been stabilized, which makes it possible to increase the efficiency of loading a large number of related files (CSS styles, JavaScript, images, iframes). Unlike packages in the Webpack format, the Web Bundle format has the following advantages: not the package itself, but its component parts, are stored in the HTTP cache; compilation and execution of JavaScript starts without waiting for the complete download of the package; it is allowed to include additional resources, such as CSS and images, which in webpack should have been encoded in the form of JavaScript strings.
• Provided the ability to define a PWA application as a handler for certain MIME types and file extensions. Once the binding is defined via the file_handlers field in the manifest, the application will receive a special event when the user tries to open the file associated with the application.
• A new inert attribute has been added to allow you to mark a part of the DOM tree as "inactive". For DOM nodes in this state, text selection and hover handlers are disabled, i.e. The pointer-events and user-select CSS properties are always set to 'none'. If the node allowed editing, then in inert mode it becomes uneditable.
• The Navigation API has been added to allow web applications to intercept navigation operations in a window, initiate a transition, and parse the application's activity history. The API provides an alternative to the window.history and window.location properties that is optimized for single page web applications.
• A new "until-found" flag has been proposed for the "hidden" attribute, which makes the element searchable on the page and scrollable by the text mask. For example, you can add hidden text to the page, the content of which will be found when searching locally.
• In the WebHID API, designed for low-level access to HID devices (Human interface devices, keyboards, mice, gamepads, touch panels) and organization of work without the presence of specific drivers in the system, the exclusionFilters property has been added to the requestDevice () object, which allows you to exclude certain devices when displaying a list of available devices by the browser. For example, you can exclude device IDs that have known problems.
• Displaying the payment form via the PaymentRequest.show() call is prohibited without an explicit user action, such as clicking on the element associated with the handler.
• Support for an alternative implementation of the SDP (Session Description Protocol) protocol, which is used to establish a session in WebRTC, has been dropped. Chrome offered two versions of SDP - unified with other browsers and specific to Chrome. From now on, only the portable version is left.
• Improvements have been made to tools for web developers. Buttons have been added to the Styles panel to simulate the use of dark and light themes. Strengthened protection of the Preview tab in the network inspection mode (enabled the use of Content Security Policy). The debugger implements script completion to reload breakpoints. A preliminary implementation of the new "Performance insights" panel is proposed, which allows you to analyze the performance of certain operations on the page.

In addition to innovations and bug fixes, 32 vulnerabilities have been fixed in the new version. Many of the vulnerabilities were identified as a result of automated testing tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL. One of the issues (CVE-2022-1853) was assigned a critical severity level, which implies the ability to bypass all browser protection levels and execute code on the system outside the sandbox environment. Details on this vulnerability have not yet been disclosed, it is only known that it is caused by accessing a freed memory block (use-after-free) in the implementation of the Indexed DB API.

As part of the vulnerability bounty program for the current release, Google paid 24 awards worth $65600 (one $10000 award, one $7500 award, two $7000 awards, three $5000 awards, four $3000 awards, two $2000 awards, two $1000 and two $500 bonuses). The amount of 7 rewards has not yet been determined.

Source: opennet.ru