July 31, 2024 at 09:08AM
Google announced improved cookie protections in Chrome 127 for Windows, along with a security update resolving three vulnerabilities. The most serious defect is a critical-severity issue in the open source implementation of the WebGPU standard, and two high-severity bugs were also addressed. Google is rolling out the update and advises users to update their browsers promptly to benefit from the enhanced protections.
From the meeting notes, it can be summarized that Google announced improved cookie protections in Chrome 127 on Windows, along with a security update to address three vulnerabilities reported by external researchers. The vulnerabilities include a critical-severity uninitialized use issue in Dawn, an out-of-bounds read in WebTransport, and insufficient data validation in Dawn. Google is in the process of determining bug bounty amounts for the reporting researchers.
The latest Chrome iteration, version 127.0.6533.88/89 for Windows and macOS, and version 127.0.6533.88 for Linux, is being rolled out. Users are advised to update their browsers as soon as possible. Google has added a new protection in Chrome 127 on Windows to prevent information stealers and other malicious applications from accessing browser cookies. This includes the introduction of Application-Bound (App-Bound) Encryption primitives to improve the Data Protection API (DPAPI) used on Windows for cookie protection.
The protection provided by App-Bound Encryption requires system privileges to steal the secrets, making it more challenging for attackers. However, it will not work if Chrome profiles roam between multiple systems. Overall, the new protections aim to increase the cost of data theft to attackers and make their actions more noticeable on the system, providing a clearer line in the sand for acceptable behavior of other apps on the system.