Chrome 81 Released With 32 Security Fixes and Web NFC API

Google has released Chrome 81 today, April 7th, 2020, to the Stable desktop channel for the Windows, macOS, and Linux with bug fixes, new features, and 32 security fixes.

Included are new features such as the auto-upgrading of mixed image content and the Web NFC API.

Windows, Mac, and Linux desktop users can upgrade to Chrome 81.0.4044.92 by going to Settings -> Help -> About Google Chrome and the browser will automatically check for the new update and install it when available.

With Chrome 81 now being promoted to the Stable channel, Chrome 83 will soon be promoted to the Beta version and Chrome 84 will be the Canary version.

Due to the Coronavirus pandemic, Chrome 82 will be skipped and all development from the version will be rolled into Chrome 83.

A full list of all security fixes in this release is available in the Chrome 81 changelog, while the Chromium browser changes for Chrome 81 are listed here.

Web NFC API arrives

Chrome 81 now allows the browser to read and write to NFC tags when they are close to the user's laptop or computer. Google states that this is usually between 5-10 cm or 2-4 inches from the device.

For the first iteration of this API, the feature will support "the NFC Data Exchange Format aka NDEF, a lightweight binary message format, as it works across different tag formats."

Using the Web NFC API, users can share and store data on NFC tags so that they can be easily transferred and used by other supported devices and programs.

Autoupgrade of image mixed content

With the release of Chrome 81, Google will now automatically attempt to load all HTTP image content on a web page via HTTPS and block the content if it cannot be delivered over a secure connection.

What this means is that if an HTTP image is not available over HTTPS, it will not be shown on the web page. 

"This feature will autoupgrade optionally-blockable mixed content (HTTP content in HTTPS sites) by rewriting the URL to HTTPS, without a fallback to HTTP if the content is not available over HTTPS. Image mixed content autoupgrades are targeted for M81," states Google's feature entry.

Console warnings about mixed content downloads

Also starting with this release are Console warnings of downloads that are being insecurely-delivered from secure contexts ("mixed content downloads").

For example, downloading a file over HTTP that was initiated from an HTTPS site.

BleepingComputer has created a PoC page that allows you to test this feature now.

TLS 1.0 and TLS 1.1 removal postponed to Chrome 84

TLS 1.0 and 1.1 were scheduled to be fully removed in Chrome 81, but due to the Coronavirus pandemic, Google has decided to delay its removal until Chrome 84.

This is being delayed to prevent problems with government and healthcare sites who may still be using older certificates and thus would be blocked.

As users need to be able to access all sites to get information during this health crisis, the removal of TLS 1.0 and TLS 1.1 is pushed back to Chrome 84.

32 security vulnerabilities fixed

The Chrome 81 release fixes 32 security vulnerabilities, with the following discovered by external researchers:

High CVE-2020-6454: Use after free in extensions. Reported by leecraso of Beihang University and Guang Gong of Alpha Team, Qihoo 360 on 2019-10-29
High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26

Comments are closed.