Google Chrome 118 is now available. The new version of Google’s web browser addresses 20 security issues in the browser, one of which is rated critical, and also introduces new features and changes.
Chrome users may check the installed version by loading chrome://settings/help in the browser’s address bar. Selecting Menu > Help > About Google Chrome opens the same page. Chrome lists its version on the page and it runs a check for updates. The new update should be picked up at that point and installed. A restart of the browser is required to complete the process.
The following versions are the latest at the time of writing:
- Chrome for Mac and Linux: 118.0.5993.70
- Chrome for Windows: 118.0.5993.70 and 118.0.5993.71
- Chrome Extended for Mac: 118.0.5993.70
- Chrome Extended for Windows: 118.0.5993.71
- Chrome for Android: 118.0.5993.65
Google Chrome 118
Google informs users on the official Chrome Releases blog that it has patched 20 unique security issues in the Chrome web browser. 14 of those are listed on the page, the remaining six were discovered internally.
The main issue is CVE-2023-5218. It is a critical security issue, an use after free in Site Isolation. The remaining publicly disclosed vulnerabilities have a severity rating of medium or low. They address additional use after free and heap buffer overflow issues, as well as “inappropriate implementations”.
Chrome 118 is the first stable version of Google’s web browser with Encrypted Client Hello support. Google introduced support in Chrome Canary back in 2022 and has been working on the feature since.
Without going into too many details, Encrypted Client Hello protects the domain name from being leaked to network operators when users open sites and services in the browser. It improves privacy as a consequence, as network operators such as the ISP, do not know anymore which sites a user accesses. One effect of this is that DNS-based blocking is no longer working, provided that the site and server in question support the new technology.
Mozilla introduced support for Encrypted Client Hello in Firefox 118 and most Chromium-based browsers will support the feature soon.
Another security feature gives Google the ability to disable extensions remotely that were not installed from the Chrome Web Store. Enhanced Safe Browsing needs to be enabled in Chrome for this to work and Google claims that it will use the feature only to disable malicious extensions. The disabling may happen manually or through automated detection systems according to Google.
Another Enhanced Safe Browsing change improves the deep scanning functionality. Chrome 118 users may now be prompted to provide the password for an archive file to allow Safe Browsing to analyze it.
Chrome is now also collecting “telemetry information about chrome.tabs API calls made by extensions” if Enhanced Safe Browsing is enabled. The information is analyzed on Google servers to improve the “detection of malicious and policy violating extensions”.
Google switched Safe Browsing to real-time checks recently.
Chrome users should update the browser immediately to protect it from attacks that target the patched vulnerabilities. Google plans to release all future Chrome releases a week early, starting with Chrome 119.
