Level 20

Google has released Chrome 78 to the Stable desktop channel, with new improvements, features, and 37 security fixes. Included in this release is the DoH trial for all users on supported DNS providers, a basic Tab Hover Cards, and some other features behind experimental flags.

Windows, Mac, and Linux desktop users can upgrade to Chrome 78.0.3904.70 by going to Settings -> Help -> About Google Chrome and the browser will automatically check for the new update and install it when available. Android and iOS users can update Chrome from their respective App stores.

Google Chrome 78
Google Chrome 78
With Chrome 77 now being promoted to the Stable channel, Chrome 79 will soon (October 31) be the Beta version and Chrome 80 will b e the Canary version.

A full list of all changes in this release is available in the Chrome 78 changelog.

DNS-Over-HTTPS (DoH) Trial
Earlier this month we reported that starting with Chrome 78, Google will be conducting a DNS-Over-HTTPS (DoH) trial on all supported platforms other than Linux and iOS.

Unlike Firefox's DoH plan, which will only use CloudFlare as the DoH provider at first, Google Chrome will attempt to upgrade the browser's DNS resolution to DoH only if your DNS provider is supported.

For the test, the listed of support DNS providers are:

"Close other tabs" option removed
In order to reduce "clutter", Google has removed various right-click tab context-menu options whose function can be achieved through other means.

The context-menu options that were removed are 'New tab', 'Close other tabs', 'Reopen closed tab', and 'Bookmark all tabs' context-menu options. They then added a new context-menu option called "New tabs to the right".

New Tab Context-Menu
New Tab Context-Menu
Losing the "Close other tabs" options is already missed as I commonly use it to clean up an open Window of all its open tabs other than the one I am reading.

For those who commonly use the "Close other tabs" feature, Google recommends you use Shift+Click or Ctrl+Click on the tabs you want to close and then use alt+W to close them. This is thoroughly annoying to do and I hope Google brings back the feature.

Tab Hover Cards
Chrome 78 finally has enabled the long awaited Tab Hover Cards by default, but it still does not do a very good job as it just shows the page title and the web site home URL.

Tab Hover Card
Tab Hover Card
To get a full Tab Hover Card effect that includes a thumbnail image of the web page, you need to enable the "Tab Hover Card Images" flag at chrome://flags/#tab-hover-card-images for the full experience.

Tab Hover Card with Images
Tab Hover Card with Images
Native File System API
Starting in Chrome 78, web developers can get access to a trial of the new Native File System API that will allow website applications to get direct access to files on your site.

This API will allow a website to initiate a file picker dialog where you select a file to open. You can then manipulate the file on the web app and let the web site save the changes directly back to your file.

Save permission
Source: Google.
Integrated Password Checkup experiment
With today's release of Firefox 70, Mozilla added an in-browser data breach notification feature.

Not to be outdone, Google also has an experimental feature called "Password Leak Detection" at chrome://flags/#password-leak-detection that will also show in-browser notifications when your saved logins were found in a data breach.

When this flag is enabled, a new option can be found in the browser's password manager called "Check password safety".

If you are logged in and syncing your account with Google, this feature will become enabled and cause the browser to display notifications if your saved login was found in a data breach.

Data Breach Notification
Data Breach Notification
Forced Dark Mode experiment
In August we reported that Google Chrome was testing a new feature in the Chrome 78 Canary build that would allow you to force a Dark Mode theme on any web site, even if they do not support it.

When testing this feature, we were pleasantly surprised by how well it performed on our site. While it was not perfect, it definitely did a nice job.

Forced Dark Mode on BleepingComputer.com
Forced Dark Mode on BleepingComputer.com
This feature is still behind an experimental flag, so you will first need to enable the "Force Dark Mode for Web Contents" flag at chrome://flags/#enable-force-dark.

In our tests, we found the "Enabled with selective inversion of non-image elements" option to work the best.

36 security vulnerabilities fixed
The release of Chrome 78 fixes 37 security vulnerabilities, with the following discovered by external researchers:

  • High CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-09-06
  • High CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-28
  • High CVE-2019-13701: URL spoof in navigation. Reported by David Erceg on 2019-08-27
  • Medium CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip Langlois (phillip.langlois@nccgroup.com) and Edward Torkington (edward.torkington@nccgroup.com), NCC Group on 2019-08-06
  • Medium CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani on 2019-08-12
  • Medium CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-05
  • Medium CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera (@lbherrera_) on 2019-07-30
  • Medium CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk on 2019-09-05
  • Medium CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo on 2018-07-01
  • Medium CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani on 2019-02-13
  • Medium CVE-2019-13709: File download protection bypass. Reported by Zhong Zhaochen of andsecurity.cn on 2019-09-18
  • Medium CVE-2019-13710: File download protection bypass. Reported by bernardo.mrod on 2017-08-18
  • Medium CVE-2019-13711: Cross-context information leak. Reported by David Erceg on 2019-07-20
  • Medium CVE-2019-15903: Buffer overflow in expat. Reported by Sebastian Pipping on 2019-09-16
  • Medium CVE-2019-13713: Cross-origin data leak. Reported by David Erceg on 2019-08-13
  • Low CVE-2019-13714: CSS injection. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-07-10
  • Low CVE-2019-13715: Address bar spoofing. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-31
  • Low CVE-2019-13716: Service worker state error. Reported by Barron Hagerman on 2019-09-19
  • Low CVE-2019-13717: Notification obscured. Reported by xisigr of Tencent's Xuanwu Lab on 2018-05-03
  • Low CVE-2019-13718: IDN spoof. Reported by Khalil Zhani on 2018-07-20
  • Low CVE-2019-13719: Notification obscured. Reported by Khalil Zhani on 2019-01-31