Google Chrome 114 closes 16 security issues and improves security
Google has released a new version of its web browser today. Google Chrome 114 is the latest stable version of the browser for desktop operating systems and Android. It patches 16 security issues according to the official announcement on the Chrome releases blog.
Google reveals information about 13 of the 16 vulnerabilities only: 8 security issues have a severity rating of high, 4 a rating of medium and one a low rating. The remaining security issues are not published publicly, as they have been found internally by Google.
Google makes no mention of exploits that are out in the wild already. While that may be reassuring, it is still recommended to update Chrome to version 114 quickly to close the security vulnerabilities.
Google addressed an out of bounds write in Swiftshader, several use after free in components such as Extensions and PDF, type confusion issues in V8, and another out of bounds memory access issue in Mojo.
How to update Google Chrome
Chrome users who run the browser on desktop systems may update the browser by loading chrome://settings/help in the address bar or by selecting Menu > Help > About Google Chrome.
The installed version is displayed on the page and a check for updates is performed. The browser will download any update that it finds to install it. A restart of the web browser is required to complete the update.
One of the following versions should be listed on the page after the installation of the update:
- Linux and Mac: Chrome 114.0.5735.90
- Windows: Chrome 114.0.5735.90 or Chrome 114.0.5735.91
- Android: 114.0.5735.57 or 114.0.5735.8
- Windows (Extended Stable) : 114.0.5735.91
- Mac (Extended Stable): : 114.0.5735.90
Google Chrome 114: non-security changes
Google Chrome 114 is a new major version of the web browser. The Chrome Enterprise and Education release notes provide information on new features that found their way into the web browser.
One of the main changes in Chrome 114 for Android, ChromeOS and Linux is the switch from using the operating system's certificate store to Chrome's own certificate store. This brings Chrome on these three systems in line with Chrome on Windows and Mac, which were switched already.
Administrators may configure the policy ChromeRootStoreEnabled to prevent the migration from happening at this stage. The policy will be removed in Chrome 120. The policy is no longer available for Mac and Windows devices.
Google lists support for the Private State Tokens API, formerly known as Trust Tokens, as another feature that has been integrated into the browser.
"The Private State Token API is a new API for propagating user signals across sites, without using cross-site persistent identifiers like third party cookies for anti-fraud purposes" writes Google in a support document. Current anti-fraud techniques that rely on third-party cookies will stop working once support ends in Chrome. Google announced recently that it will drop support for third-party cookies in 2024 in Chrome.
Google has released an article for developers that explains the functionality. Broken down to its core, the new API may be used to use trust tokens on different sites so that users do not have to regain trust, e.g., through captchas.
Google has implemented a security feature in Chrome 114 for Windows that protects cookie files on disk against unauthorized access.
Here is a quick overview of other changes:
- Old tabs are grouped under Inactive Tabs in the Tab grid on iPhone and iPad.
- Chrome's password manager is now called Google Password Manager. Google lists three new features:
- grouping of similar passwords.
- improved checkup flow.
- password manager shortcut can be added to the desktop.
- Improved password checking on iOS to find out if passwords are considered unsafe.
- Improved editing of notes in the new Google Password Manager.
- Test of a new Bookmarks side panel experience in Chrome that supports filtering, sorting and editing.
- Chrome's Safe Browsing feature, if set to Standard or Enhanced, will recursively unpack downloads of nested archives now to improve protection against malware that uses nested archives.
- Chrome settings synced on iOS or Android are kept separate from local Chrome settings, which were set when sync was off.
- Chrome on iOS supports opening multiple tabs that were open recently on Android.
Now You: what is your take on these new features?
The solved security issues shouldn’t be announced in this way, because hackers will use their force to attack in other potential sites, instead losing their time trying to do bad things using the now old solved exploits. Don’t say to your enemy what you are doing to protect your own house.
@John G.
My Momma taught me “Don’t volunteer information”.
@Tachy, good wise words by your mother indeed.
@Iron Heart–“Actually no, Firefox has nominally (not actually) fewer vulnerabilities because it’s a less attractive target and thus less attacked.”
ITPro provides a different view: “Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.”
In a Forbes article, Adrian Taylor from the Google Chrome Security Team explained that zero-day attacks are due to “the dramatic rise in the popularity of Chrome and Chromium-based browsers, are also key factors. In short: they have a much bigger target on their back.”
Sounds more to me that Google is patting itself on the back for being a tangentially preferred browser both to use and to hack.
Both Firefox and Chrome developers do well in closing security issues; what to say?
>”when presented with two potential targets, the less well-defended one will always be the first choice”
And what most people don’t understand is that it doesn’t take the criminal hacker groups any extra effort to test their exploits against all browsers. They would be just as happy to exploit a browser with one-half of one percent share, like Brave, as compared to a browser with 7.69 percent share like Firefox or 5.83 percent share like Edge or 77 percent share like Chrome (citation – Kinsta Global Desktop Browser Market Share for 2023). In fact, we know this is true because the crime groups are still actively exploiting users of Internet Explorer with its 2.15 percent share – and why are they exploiting it? Because it’s easier, like you said.
@VioletMoon
Firefox being easier to exploit would not make up for its lack of popularity. How many people do you ultimately catch by exploiting Firefox? …
Number of exploits is often primarily an indication of popularity, not of code quality. Hence why it’s not used as a metric to determine security by anyone except the amateurs and hobbyists writing here.
Logic would dictate that these 16 security issues were created by an ealier update, unless of course the browser has an unlimited number of them.
Anyways, why have I never seen the headline “Chome version xxx introduces xx security issues and reduces security”?
I want to read about how these issues are created.
only 16? They have clearly missed all the others
They did and just released another update yesterday.June 5. Below from the Chrome Releases blog.
“The Stable and extended stable channels has been updated to 114.0.5735.106 for Mac and Linux and 114.0.5735.110 for Windows, which will roll out over the coming days/weeks.
High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2023-06-01
Google is aware that an exploit for CVE-2023-3079 exists in the wild.”
You are correct, these errors have probably been in the code for quite a long time before they were discovered, going back many versions. Google coders seem to make a lot of these types of errors, far more than Mozilla’s. This is one main reason Mozilla is writing a lot of new Firefox code in the memory safe Rust programming language, to avoid these same types of errors, vulnerabilities and exploits.
> Google coders seem to make a lot of these types of errors, far more than Mozilla’s. This is one main reason Mozilla is writing a lot of new Firefox code in the memory safe Rust programming language, to avoid these same types of errors, vulnerabilities and exploits.
Actually no, Firefox has nominally (not actually) fewer vulnerabilities because it’s a less attractive target and thus less attacked. It doesn’t even have proper site isolation, and only minor parts of it are written in Rust. And yet, you are here spewing the same nonsense every single week. The question is why…
@upp
> Stop you fucking liar, don’t talk shit about things you don’t even know.
LOL, you call me a liar but you have zero tangible proof that Firefox is supposedly more secure than Chromium. You can start showing me your proof by refuting the well-known madaidan article point by point. Good luck with that.
PS: I am aware of your fanboying in favor of Firefox, so not surprised in the least about that insulting comment of yours.
For me having the chrome root store is an heresy, i preferred it when he followed the os one.
Chrome 114 restores the flag that allows you to disable tab previews (the images that accompany the hover cards):
https://redd.it/13w05pr
This version also restores the feature that lets you set Chrome as the default browser on Windows with a single click:
https://twitter.com/Leopeva64/status/1663666129494069249?s=20
A month ago a cumulative update broke this feature in Windows and Google had to disable it.
Hello @Leopeva64, I have read you also in some comments on other main sites! Happy to see you here again! :]