Google Chrome 118 is a massive security update
Google Chrome 118 is now available. The new version of Google's web browser addresses 20 security issues in the browser, one of which is rated critical, and also introduces new features and changes.
Chrome users may check the installed version by loading chrome://settings/help in the browser's address bar. Selecting Menu > Help > About Google Chrome opens the same page. Chrome lists its version on the page and it runs a check for updates. The new update should be picked up at that point and installed. A restart of the browser is required to complete the process.
The following versions are the latest at the time of writing:
- Chrome for Mac and Linux: 118.0.5993.70
- Chrome for Windows: 118.0.5993.70 and 118.0.5993.71
- Chrome Extended for Mac: 118.0.5993.70
- Chrome Extended for Windows: 118.0.5993.71
- Chrome for Android: 118.0.5993.65
Google Chrome 118
Google informs users on the official Chrome Releases blog that it has patched 20 unique security issues in the Chrome web browser. 14 of those are listed on the page, the remaining six were discovered internally.
The main issue is CVE-2023-5218. It is a critical security issue, an use after free in Site Isolation. The remaining publicly disclosed vulnerabilities have a severity rating of medium or low. They address additional use after free and heap buffer overflow issues, as well as "inappropriate implementations".
Chrome 118 is the first stable version of Google's web browser with Encrypted Client Hello support. Google introduced support in Chrome Canary back in 2022 and has been working on the feature since.
Without going into too many details, Encrypted Client Hello protects the domain name from being leaked to network operators when users open sites and services in the browser. It improves privacy as a consequence, as network operators such as the ISP, do not know anymore which sites a user accesses. One effect of this is that DNS-based blocking is no longer working, provided that the site and server in question support the new technology.
Mozilla introduced support for Encrypted Client Hello in Firefox 118 and most Chromium-based browsers will support the feature soon.
Another security feature gives Google the ability to disable extensions remotely that were not installed from the Chrome Web Store. Enhanced Safe Browsing needs to be enabled in Chrome for this to work and Google claims that it will use the feature only to disable malicious extensions. The disabling may happen manually or through automated detection systems according to Google.
Another Enhanced Safe Browsing change improves the deep scanning functionality. Chrome 118 users may now be prompted to provide the password for an archive file to allow Safe Browsing to analyze it.
Chrome is now also collecting "telemetry information about chrome.tabs API calls made by extensions" if Enhanced Safe Browsing is enabled. The information is analyzed on Google servers to improve the "detection of malicious and policy violating extensions".
Google switched Safe Browsing to real-time checks recently.
Chrome users should update the browser immediately to protect it from attacks that target the patched vulnerabilities. Google plans to release all future Chrome releases a week early, starting with Chrome 119.
And major spelling downgrade… marking correctly spelled common words and suggestions for typos are worse than ever. flag for using windows spellchecker is gone
This is the first I’ve heard of Encrypted Client Hello. I’ve just enabled ECH on both Firefox and Chrome. This is a big privacy plus! Everyone should turn this on.
For Chrome, you have to enable ECH under chrome://flags.
Firefox 118 works on Windows 8.1 if you edit firefox.exe with CFF Explorer
There was also updates to Google Chrome on Windows 7 and 8 (to 109.0.5414.168).
I wonder if Microsoft Edge will follow suit like it did with the WebP exploit in September (to 109.0.1518.140).
As always thank you for the browser updates.
I did not get 109.0.5414.168 update, is there a way to force it or download an offline installer? Thank you.
On my Windows 8.1 Pro laptop, I use Firefox (currently 115.3.1 ESR). I went to Add Remove Programs and noticed that Chrome had auto updated to 109.0.5414.168 on Oct. 11, 2023. I also noticed Edge had been auto updated to 109.0.1518.140 on Sept. 16, 2023 (I assume because of the WebP Exploit).
As we all know security updates for Chromium browsers on Windows 7 and 8.1 systems stopped January of this year… but it seems that Google and Microsoft will patch major browser exploits??
No official word on that, and I don’t know why mine updated and yours did not.
Thank you again for your reply. The only thing I can think of it is that maybe the update works on 8.1 but not in 7. Giving it is security related, I do not understand why Google is not more proactive about it. In the PC affected it still says “To get future Google Chrome updates, you’ll need Windows 10 or later. This computer is using Windows 7”. It should be at least a warning about not getting 109.0.5414.168 if it was available. Anyhow, I will try to find a solution, and report it in this thread if I find it.