Wednesday, December 6, 2017

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 63 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.


Chrome 63.0.3239.84 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 63.


Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 37 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.


[$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
[$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
[$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
[$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
[$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
[$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
[$500][766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
[$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
[$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
[$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
[$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
[$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
[$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
[$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
[$500][780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin. Reported by jinmo123 on 11/1/2017
[$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
[$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
[$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17
[$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
[$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan (fb.me/junaid.farhan.54) on 2017-09-26


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [792099] Various fixes from internal audits, fuzzing and other initiatives

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.


A list of all changes is available in the log.Interested in switching release channels? Find out how.  If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.




Krishna Govind
Google Chrome

Labels: ,

27 Comments:

Blogger Delano said...

HATE bookmarks change, how do i go back to previous update?

5:18 PM, December 06, 2017  
Blogger desertdawn said...

This comment has been removed by the author.

8:36 PM, December 06, 2017  
Blogger desertdawn said...

Noticeable Speed increase when loading tabs

10:05 PM, December 06, 2017  
Blogger Bernard Golden said...

Getting error message while attempting access to AWS Management Console. Error message is:

Bad request
There is something wrong with your request. Clear you cookies, check your request, and try again. If this issue continues, contact AWS Support.

Have cleared cache, uninstalled Chrome and reinstalled, still getting this error message. Can access via Firefox no problem.

9:01 AM, December 07, 2017  
Blogger Krishna Govind said...

Bernard Golden, could you please log a bug under crbug.com with all details for AWS Management Console issue??

10:56 AM, December 07, 2017  
Blogger bswarm said...

Favicons take almost a full minute to show up, every time the browser is launched.

6:23 PM, December 08, 2017  
Blogger al zwikker said...

Chrome, the perfect browser...

6:12 AM, December 09, 2017  
Blogger al zwikker said...

This comment has been removed by the author.

6:12 AM, December 09, 2017  
Blogger Fernando Cuadrado said...

Something wrong in Android 5.1 + Chrome 63.0.3239.84. SESSION GO AWAY, CAN'T KEEP ALIVE.

11:33 AM, December 10, 2017  
Blogger Through Loopys Lens said...

Google Chrome just keeps getting worse and worse. Some sites won't load at all now and if i go to Firefox they load with no problem. I am pretty much at the point where Google will be going bye bye. What good is a browser that only loads certain sites.I pretty much had it with Google and Gmail. I would be happy to have them permanently out of my life.

5:22 PM, December 10, 2017  
Anonymous Anonymous said...

Hi Delano, go to the address bar, and copy/paste chrome:flags#enable-md-bookmarks , select "Disabled" from the drop-down, and press "Relaunch Now".

12:55 AM, December 11, 2017  
Blogger Mike T said...

My online banking site allowed me to log on before updating from 62.0.3202.94

Now - since updating to 63.0.3239.84 - I find that my online banking site returns a page that says:

"This site can't provide a secure connection"

"onlinebanking.my_bank.com sent an invalid response"

ERR_SSL_PROTOCOL_ERROR

When I attempt to log in to mail.aol.com

Chrome presents a page that displays "This site can’t be reached"

Before updating from 62.0.3202.94 - the page to login would load

This behavior started after updating to Chrome version: 63.0.3239.84 : Stable

OS Version: Linux Mint 17.3 Rosa 4.4.0-45-generic #66~14.04.1-Ubuntu x86_64 GNU/Linux

Flash Version: 27.0.0.187 /home/xxx/.config/google-chrome/PepperFlash/27.0.0.187/libpepflashplayer.so

Firefox 57 continues to load these pages properly in Mint 17

Bug report filed:
https://bugs.chromium.org/p/chromium/issues/detail?id=793679

kochi@chromium.org suggests that I submit a bug report to the maintainers at Mint -
but this behavior did not start until I updated Chrome

What now ??????

11:21 AM, December 11, 2017  
Blogger Mike T said...

Upon further investigation it seems like this problem could be related to Symantec / Digecert Certificates ?

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Many of the sites that we use to manage our lives seem to be affected -

Banking - including :
Credit card accounts
Deposit accounts
Investment accounts

Health Care - including :
Insurance
Diagnostic reports
Appointments

Utilities, etc ....

Can someone please test on the same OS as the one I've reported :

Linux Mint 17.3 Rosa 4.4.0-45-generic #66~14.04.1-Ubuntu x86_64 GNU/Linux

6:56 PM, December 11, 2017  
Blogger Charlie said...

1. I second Delano's comment, "HATE bookmarks change, how do i go back to previous update?"

2. l33t4g RE: How to disable Material Design Bookmarks. THANK YOU!!!!!

3. A little warning/update notice would be nice when these things happen.

8:57 AM, December 12, 2017  
Blogger srikanth rangan said...

getting a BSOD Blue screen, with Bad pool header when trying to access Chrome from a app-v application

12:13 PM, December 12, 2017  
Blogger Rogin Neil De Guzman said...

I'm getting this warning upon updating to the current version of chrome. please help

"*** normally uses encryption to protect your information. When Google Chrome tried to connect to *** this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ***, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit *** right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

12:56 AM, December 13, 2017  
Blogger V97UXS said...

@ srikanth rangan said...

'getting a BSOD Blue screen, with Bad pool header when trying to access Chrome from a app-v application'

I am seeing the same behaviour, have you by any chance found out why this is ?

Thanks

H

7:31 AM, December 13, 2017  
Blogger Jason said...

Random freezing occurs since this update. CPU and RAM usage are normal but the entire browser gets unresponsive for 5-15 seconds about 6 times every 10 minutes

9:19 AM, December 13, 2017  
Blogger Krishna Govind said...

srikanth rangan & V97UXS@,

could you pls provide more details on "accessing Chrome from a app-v application" issue under crbug.com/794695?

Thank you,
Krishna



1:19 PM, December 13, 2017  
Blogger Mike T said...

I used Synaptic Package Manager to remove 63.0.3239.84

Then,I located google-chrome-stable_62.0.3202.94-1_amd64.deb in /var/cache/apt/archives to reinstall chrome using GDebi Package Installer

Subsequently, I am able to access those sites that failed to connect after the update to google-chrome-stable_63.0.3239.84-1_amd64.deb, which as you know includes includes 37 security fixes

I can only speculate as to which of the fixes prevented my Mint 17 install from connecting properly ....

Could AOL Mail have possibly been affected by CVE-2017-15419: Cross origin leak of redirect URL in Blink ???

Did my banking and similar sites failed to connect due to CVE-2017-15423: Issue with SPAKE implementation in BoringSSL ???

Please remediate these issues before the next stable release

Thanks - I appreciate your efforts

12:31 PM, December 14, 2017  
Blogger Jose Rodrigues said...

Table height 100% bugged calculation. Goes to 0. Any hint?

12:49 PM, December 14, 2017  
Blogger Krishna Govind said...

Mike T, could you please log a bug under crbug.com with all details for issue you're facing?

12:57 PM, December 14, 2017  
Blogger Mike T said...

@Krishna

https://bugs.chromium.org/p/chromium/issues/detail?id=793679

I guess I will have no choice but to use Firefox until the chrome team can properly address the issues described

1:17 PM, December 14, 2017  
Blogger Mike T said...

@Krishna

https://bugs.chromium.org/p/chromium/issues/detail?id=793679 current status is WontFix - and shows as being closed as of Dec 11

Nobody with the chrome team has responded since then - even though I have attempted to provide more info

I'd really like to see these concerns receive more attention

1:28 PM, December 14, 2017  
Blogger Krishna Govind said...

Thank you Mike T. Please see the bug for latest update.

2:42 PM, December 14, 2017  
Blogger Ken S said...

Delano said...
HATE bookmarks change, how do i go back to previous update?

What did they change with Bookmarks? Like to know before installing update, or wait til they fix it. This update looks like a nightmare looking at the comments! Like others I'll be using Firefox most likely if this continues with Google.

2:57 PM, December 15, 2017  
Blogger pawan shukla said...

after upgrading Google Chrome to version 63.0.3239.84 I have started receiving errors and warnings in console such as:
[DOM] Found 3 elements with non-unique id #SMTPSetting: (More info: https://goo.gl/9p2vKq)
[DOM] Input elements should have autocomplete attributes (suggested: "current-password"): (More info: https://goo.gl/9p2vKq)
[Violation] Added non-passive event listener to a scroll-blocking 'mousewheel' event. Consider marking event handler as 'passive' to make the page more responsive. See https://www.chromestatus.com/feature/5745543795965952

9:30 PM, December 15, 2017  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home