It’s 2019’s first browser update week with both Google and Mozilla tidying up security features and patching vulnerabilities in Chrome and Firefox for Mac, Windows, and Linux.
But for Chrome security in version 72, it’s more about what’s being taken out than what’s being added.
One of these changes is the deprecation of support for obsolete TLS 1.0 and 1.1 protocols with a view to removing support completely by Chrome 81, scheduled for early next year (the same will apply to Firefox, Microsoft Edge and Apple’s Safari). This will affect developers rather than users who will still be able to connect to the tiny number of sites using TLS 1.0/1.1 for another year.
However, one standard that is completely banished in Chrome 72 is HTTP-Based Public Key Pinning (HPKP), deprecated from version 67 last May.
An IETF security standard designed to counter digital certificate impersonation, HPKP’s problem wasn’t obsolescence so much as doubts about the unintended problems it could cause. Consequently, uptake was low.
Also on the slippery slope is FTP, which Google considers to be a legacy protocol that it’s time to migrate away from. The latest version will only render directory listings, downloading anything else.
An interesting tweak is the integration of WebAuthn APIs to allow users to authenticate using FIDO U2F keys and Windows Hello. Although still not defaults – and no major websites offer WebAuthn in anything other than a test state – it’s a necessary stage for enabling this by default in a future release.
Security fixes
Chrome 72 fixes 58 CVE-level flaws, including 17 rated ‘high’ severity and one ‘critical’, identified as CVE-2019-5754 and described simply as an “inappropriate implementation in QUIC Networking.”
Continuing its six-week schedule, the next version, Chrome 73, is due out on 12 March, with version 74 appearing on 23 April.
Part of this update will see Chrome warn users when they visit lookalike URLs meant to resemble popular websites.
Firefox 65
Naked Security has already covered the new content blocking setting added to Firefox 65, but this also patches seven CVEs, including three marked ‘critical’ and two ‘high’.
The criticals include CVE-2018-18500 (reported by SophosLabs’ researcher Yaniv Frank), described as:
A use-after-free vulnerability that can occur while parsing an HTML5 stream in concert with custom HTML elements.
Also fixed are CVE-2018-18501 and CVE-2018-18502, both memory safety flaws plus CVE-2018-18504, a memory corruption issue, and CVE-2018-18505, a privilege escalation affecting Inter-process Communication (IPC) authentication.
Continuing the memory theme, Linux, macOS and Android versions get protection against ‘stack smashing’, which attackers can use to take control of a browser process.
Tajudeen EJALONIBU
I hope it works as announced such that all the avoidable flaws while browsing in terms security would be reduced.
Gerald Coffman
I’m not sure if this is relevant
However I got this new LGXVenture last week and as soon as I signed into my Google account 60 percent of my apps were either disabled or force stopped and I can’t re enable them..any suggestions ?
George Mays, III
I picked up an apparent virus form some website. Sophos Home does not see it, It is a popup virus, keeps saying I Have 3 items to get rid of. none of my virus scanners see anything. Mostly pops up in notifications [site name redacted]??
Paul Ducklin
If it’s just a popup dialog on a website that *says* you have viruses (don’t panic, they are almost always listed as “ones your anti-virus didn’t detect”, in order to make the alert sound scarier), then it’s probably not a virus – it’s just a popup that talks about viruses. This is a common trick designed to get click-throughs.
If you’d like to let us know where you found this dishonest popup, please do report it to us:
https://secure2.sophos.com/en-us/support/submit-a-sample.aspx
On this page you can upload suspicious files, report spam and tell us about fraudulent, disingenuous or malware-laden web links.