Credit: ID 31591162 © Milo827 | Dreamstime.com
Google will pay out at least $59,000 to researchers for reporting dozens of security bugs found in Chrome version 70 and prior.
Google has released the stable version of Chrome 71 for Windows, Mac and Linux with 43 security fixes, including a patch for Site Isolation, an important feature for minimizing the risk of malicious websites using the Spectre flaws affecting CPUs from Intel, AMD, Arm and others.
Chrome 71 expands Google’s move against sites with “abusive experiences” that pushed Chrome users to sites they don’t want to visit. Previous approaches included a pop-up blocker and restricting autoplay videos, while last year’s efforts aimed to prevent surprise redirects through links and buttons on a site.
Chrome 71 closes an apparent loophole in its Google’s previous clampdown by removing all ads on the fraction of sites with “persistent abusive experiences”.
Google was targeting ads of the type commonly used by tech support scams, such as ads displaying system warnings and bogus “close” buttons. Google decided to tackle ads after discovering that nearly all of the abusive experiences it was missing to date relied on bad ads.
Chrome 71 also cracks down on vague information available when users are inputting information on subscription pages. In November Google said millions of Chrome users see mobile pages with poor information about subscriptions.
As of this version, Chrome will show a warning before users enter a page where billing information is required. The warnings target pages that allow users to subscribe by typing in their phone number, resulting in charges to the user’s mobile subscription.
The latest version of Chrome also fixes 13 high severity flaws in Chrome 70 and earlier, including bugs that affect the browser’s V8 JavaScript engine, its PDF engine, and the Blink rendering engine.
The highest single payout was made for a medium seventy issue concerning “inappropriate implementation in Site Isolation”.
Site Isolation was one of the key Chrome mitigations for JavaScript threats posed by the Spectre CPU side channel flaws, which could allow an attacker to leak information from one tab to another by accessing memory that should be isolated. It was introduced in Chrome 67. Browsers were potentially exposed because they can run JavaScript from several websites in the same process.