Google Chrome 115: fixes 20 security vulnerabilities, new side panel tools and HTTP upgrades
Google released a new version of its Chrome web browser to the stable channel today. Google Chrome 115 is a major browser upgrade that fixes 20 different security issues in the browser and introduces new functionality at the same time.
Originally scheduled for last week, Google delayed the release to the stable channel to July 19th, 2023. Most Chrome installations will receive the update automatically over the course of days and weeks.
Users may check the installed version by selecting Menu > Help > About Google Chrome, or by loading chrome://settings/help directly in the browser's address bar. Google Chrome displays the installed version and runs a check for updates when the page is opened on desktop systems.
The following version is the latest and should be displayed after the update is installed on the device:
- Chrome for Linux and macOS: Chrome 115.0.5790.98
- Chrome for Windows: Chrome 115.0.5790.98 or Chrome 115.0.5790.99
Chrome 115: security fixes
Google notes on the official Chrome Releases website that it has patched 20 different security vulnerabilities in Chrome 115.
The company lists just 11 of them on the website, as it keeps internally discovered vulnerabilities under wraps. The severity of the issues ranges from high to low and Google makes no mention of exploits in the wild.
The actual vulnerabilities include user after free issues in components such as WebRTC or Tab Groups, an out of bounds memory access in Mojo, and several "inappropriate implementations".
It is recommended to install the update asap to protect the browser and system from potential exploits.
Chrome 115: the non-security changes
Google Chrome 115 is a big release that includes several new features and changes.
Google Search side panel is one of these new features. It adds Google Search to Chrome's side panel that "allows text-based and visual queries, questions related to the page, and links to more details about the current site" according to Google.
Only a selection of Chrome users will see the new side panel feature in Chrome 115. Google plans to roll out it to the entire population in Chrome 116, which will be released next month.
Administrators may control the feature by configuring the new Enable Google Search Side Panel policy. Google has been working on the Side Search feature in Chrome since at least Chrome 107.
Reading Mode is another side panel feature that is being rolled out starting in Chrome 115. It displays a read-optimized version of articles in the browser's sidebar. Only text and links are displayed in the mode.
Chrome's Reading Mode offers a few customization options at the top, including options to change the font type and size, theme, line height and letter spacing.
Some Chrome users will have their HTTP requests upgraded to HTTPS automatically by the browser. Google notes that Chrome drops back to using HTTP if the site does not support HTTPS. Users shouldn't see any visible effect in Chrome when the browser tries to upgrade the connection or falls back, if that is not possible.
Chrome users may bypass the automatic upgrading by specifying HTTP in the address bar of Chrome specifically or by configuring the Insecure Content setting by loading chrome://settings/content/insecureContent in the address bar.
New "Allow this time" response to certain permission prompts. Currently, Chrome users may select allow or deny for all permission prompts; these selections are permanent in nature, unless erased or changed manually by the user. Starting in Chrome 115, the new "allow this time" permission becomes available for geolocation, camera and microphone permissions.
Google changed the allow and deny options to "allow on every visit" and "don't allow" to improve the description of these choices.
Other changes of importance in Chrome 115:
- 1% of Chrome users who use Quad9Secure DNS (9.9.9.9) will have DNS over HTTPS mode enabled automatically as part of a test. This applies only to machines that have the DnsOverHttpsMode policy set to Automatic. Similarly, Chrome 115 will use DNS over HTTPs automatically for Cox ISP DNS server clients, provided that the policy is set to Automatic.
- Support for Encrypted Client Hello (ECH), an extension for TLS that promises privacy enhancements by encrypting the full handshake to keep all metadata secret.
- A new Enterprise policy, ExtensionUnpublishedAvailability, which defines whether unpublished Chrome extensions will be disabled in Google Chrome.
- Some Apple iOS users may now "use and save bookmarks and reading list items in their Google Account".
- Support for signature algorithms using SHA-1 for server signatures during the TLS handshake is removed in Chrome 115.
- Developers need to enroll "with the Privacy Sandbox". This verifies companies according to google and adds "an additional layer of protection for user privacy".
Chrome developers and web developers may want to check out the New in Chrome 115 post on the Developer website and the Chrome 115 listing on the Chrome Platform Status website for additional information.
Now You: what is your take on these new features?
>”The actual vulnerabilities include user after free issues in components such as WebRTC or Tab Groups, an out of bounds memory access in Mojo, and several ‘inappropriate implementations’.”
So, once again, Google’s genius programmers have made a big batch of coding errors which have caused security vulnerabilities. Just another day at the chocolate factory.
Google is trying to look like that Topics API is less terrible than the earlier FLoC proposal, it’s still ultimately a really great way to track your behavior online through your web browser and provide that data to any site or ad network that requests it.
thx for overview. there are some insteresting new flags regarding the memory-saver too.
ECH:
disable
#encrypted-client-hello
source:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH#how-to-enable-esni-in-firefox
“it is a work-in-progress design and has not yet seen significant (or really any) security analysis.
it hasn’t been deployed anywhere, besides experiments in firefox and on Cloudflare servers. even when using firefox, ECH will never be used except when connecting to some websites from cloudflare customers.
[important point]
-> enabling ECH will trigger an extra DNS query for every single new hostname, even for hosts that don’t support ECH. Every time a query for a host that doesn’t support is made, an error will be returned (NXDOMAIN).
enabling ECH doesn’t actually do anything unless the website you are connecting to was explicitly configured to support it. This requires TLS 1.3.
as of today, this is not supported anywhere, except on websites cached by cloudflare and participating to the experiment.
Another new feature in Chrome 115 is the Mica effect on the tabstrip:
https://redd.it/15315f6
.
2023: Omg, mica, so kewl !!
2006-2022: Look what they have to do to mimic a fraction of our power (aero glass)
Thanks! :]
Thanks @Martin for the article. :]
only 20? they must have missed all the others .. just another patch day at chromium/chrome, the new adobe flash but more holes than a pastafarian’s hat
it’s a big project… what do you expect? Are there any browsers that don’t have vulnerabilities? How would you even know?
“they must have missed all the others” submit them yourself then! Oh wait, you probably don’t have a clue, and just saying stuff for the sake of it.
PS you’re not gonna get anybody to hate Chrome by comparing it to Flash, i’m sure most who grew up with it have very fond memories of all the flash games.