Google Chrome v68.0.3440.75 正式版发布

昨天下午发现Chrome正式版的版本还是67.0.3396.99,今天发现居然发布更新到:68.0.3440.75了.

谷歌浏览器Google Chrome稳定版迎来v68正式版首个版本发布,详细版本号为v68.0.3440.75,上一个正式版v67.0.3396.99发布于6月13日,时隔29天Google又发布了新版Chrome浏览器,本次升级主要是更新了42项安全修复和稳定性改进及用户体验。

谷歌浏览器v68正式版新增了一项重大的变化,当加载非HTTPS时,该浏览器的处理方式会更加审慎。只要遇到潜在不安全的站点,Chrome都将开始抛出警告信息。虽然不会对日常使用造成太大的影响,但这确实是迄今为止发生的一个重大转变。

网友发现还更新了一个“重量级”的功能:

在 7 月 24 号发布的 Chrome 68 中,Google 引入了一项重大的变化。当加载非 HTTPS 网站时,该浏览器的处理方式会更加审慎。据悉,只要遇到潜在不安全的站点,Chrome 都将开始抛出警告信息。虽然不会对日常使用造成太大的影响,但这确实是迄今为止发生的一个重大转变。

Chrome 正在改变加载 HTTP 时的处理方法,因为这项老旧的技术未对数据进行加密。

在之前版本的 Chrome 浏览器中,Google 还只是强调“当前访问的网站是否采访用了更加安全的 HTTPS 加密”,并在地址栏上凸显一个标记。

然而现在的情况是,Google 突然加快的步伐,彻底将那些缺失有效安全证书的非 HTTPS 网站划归到了“潜在不安全”的阵营,并抛出安全警示。

在官方支持页面上,Google 解释到:

过去几年中,我们一直主张站点采用 HTTPS,以提升其安全性。去年的时候,我们还通过将更大的 HTTP 页面标记为‘不安全’以帮助用户。

不过从 2018 年 7 月开始,随着 Chrome 68 的发布,浏览器会将所有 HTTP 网站标记为‘不安全’。

简而言之,从 Chrome 68 开始,这一变动将影响到 Web 和内网中‘潜在不安全’HTTP 网站的访问。

谷歌浏览器v68正式版新增站点隔离功能,可以提高Chrome浏览器的整体安全性,保护用户或最大限度地降低广受媒体关注的Spectre安全漏洞可能导致的攻击风险,该漏洞已经不少于比四个变种。此外,更充分地利用智能手机中的各个传感器,并通过全新的WebXR框架(已经整合了VR和AR的诸多API)为移动端设备带来更好的沉浸式体验。而这些API可用于创建例如桌面迷宫等网页游戏或者类似于数字指南针等实用工具。

附官方更新日志:

Chrome稳定版已经更新到v68.0.3440.75

安全修复程序和奖励

更新包括42项安全修复

[$5000][850350] High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07

[$3000][848914] High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01

[$N/A][842265] High CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11

[$N/A][841962] High CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10

[$N/A][840536] High CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07

[$2000][841280] Medium CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09

[$2000][837275] Medium CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26

[$1000][839822] Medium CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04

[$1000][826552] Medium CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27

[$1000][804123] Medium CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21

[$500][849398] Medium CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04

[$500][848786] Medium CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01

[$500][847718] Medium CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30

[$500][835554] Medium CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21

[$500][833143] Medium CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15

[$500][828265] Medium CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03

[$500][394518] Medium CVE-2018-6169: Permissions bypass in extension installation . Reported by Sam P on 2014-07-16

[$TBD][862059] Medium CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10

[$TBD][851799] Medium CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon@mimetics.ca on 2018-06-12

[$TBD][847242] Medium CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28

[$TBD][836885] Medium CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25

[$N/A][835299] Medium CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20

[$TBD][826019] Medium CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26

[$N/A][666824] Medium CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18

[$500][826187] Low CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27

[$500][823194] Low CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19

[$500][816685] Low CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26

[$500][797461] Low CVE-2018-6044: Request privilege escalation in Extensions . Reported by Rob Wu on 2017-12-23

[$500][791324] Low CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03

[866821] Various fixes from internal audits, fuzzing and other initiatives

The following bugs were fixed in previous Chrome releases, but were mistakenly omitted from the release notes at the time:

[$1000][812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15

[$500][805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25

[$2000][805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24

历史文章

编辑/月影西沉

月影西沉

  • 发表于:
  • 原文链接https://kuaibao.qq.com/s/20180728A16CNR00?refer=cp_1026
  • 腾讯「云+社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。
  • 如有侵权,请联系 yunjia_community@tencent.com 删除。

同媒体快讯

扫码关注云+社区

领取腾讯云代金券