Google this week issued Chrome 63 for Windows, macOS and Linux, adding important security enhancements for enterprises to stress the importance the company now puts on the commercial market.
“Starting with [this] release, Site Isolation is now available … [which] renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome’s existing sandboxing technology,” wrote Matt Blumberg, product manager for Chrome, in a post to a company blog.
Chrome updates in the background, so most users can simply relaunch the browser to get the latest version. To manually manage an update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser has been updated or displays the download-upgrade process before presenting a “Relaunch” button. New to Chrome? It can be downloaded from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks; the last time it upgraded the browser, to version 63, was Oct. 17, or seven weeks before its Wednesday refresh.
The most prominent is the Site Isolation Blumberg discussed. When enabled, the feature and its underlying technologies render each open website in a separate, dedicated process, isolating that site – and more importantly, its contents – from other sites. A major step up from the already-in-Chrome by-tab process assignments, site isolation will prevent remote code that does execute within Chrome’s renderer sandbox from manipulating other sites, and the code within them.
The new quarantine is more rigid than Chrome’s current sandboxing. According to Google, while Chrome now “makes an effort to place pages from different websites in different renderer processes when possible,” that doesn’t always happen. Site Isolation guarantees that each site is separated from all others.
It also comes at a price: Google acknowledged that turning on Site Isolation will increase Chrome’s memory usage up to 20%, a tough penalty when users already bemoan the browser’s voracious appetite.
Site Isolation can be enabled for all sites, or just a select few – a company’s intranet, for example – or other internal websites that contain the most sensitive information and are thus the most valuable to hackers, like customer data.
Windows GPOs – Group Policy Objects – can be set by administrators and then pushed to those workers running Chrome. Command-line flags can also be used on individual machines or for IT testing prior to wider deployment via group policies. Instructions are available here.
Google isn’t the only browser maker trumpeting isolationist technologies. Chrome may have led the way to multiple processes – it debuted in 2008 with that in place – and historically been the most difficult of the major browsers to crack and hack, but Microsoft has expended time and money on its Edge, too. The latest move by Microsoft – Application Guard, baked into Windows 10 – isolates Edge in a bare bones virtual machine; it cannot be duplicated by Google.
Also on the Chrome 63 change list: GPOs that the IT staff can set to bar Chrome extensions by the privileges they demand. For example, the new policies could be used to ensure users don’t install any add-on that can capture audio through a device’s microphone or access the company’s printers. The upgrade also turns on TLS (Transport Layer Security) 1.3, a more robust encryption standard, when Chrome is steered to gmail.com. Blumberg promised that TLS 1.3 support would expand “to the broader web” in 2018.
Blumberg also issued one of Google’s periodic advance warnings about future moves meant for Chrome, telling users that come version 68 – slated to ship the week of July 22-28, 2018 – Google will start blocking third-party software from injecting code into Chrome on Windows. Antivirus (AV) applications in particular use code-injection, a now-disparaged technique because of stability issues and vulnerability to hackers’ attacks, to monitor browsers for possible infection.
With version 68, only software that, if banned from injecting code into Chrome, crashes the browser will be allowed to run so that Chrome can launch and display a message advising the user to remove the culprit. When Chrome 72 launches in early 2019, all code injection will be stymied. However, recognizing that enterprises may be wedded to such software, and unable to abandon those programs or find substitutes, Google plans to introduce GPOs that “offer admins extended support for critical apps” requiring code injection.
Included in Chrome 63 are patches for 37 security flaws, one of which was rated “Critical,” Google’s most-serious, and rare, ranking. That bug’s finder was awarded $10,500 for his report, with more than $36,000 in bounties paid to security researchers for the remaining vulnerabilities.
The next upgrade, Chrome 64, should reach users the week of Jan. 21-27, 2018, according to Google’s release calendar.