Google Chrome 63

Google has started rolling out version 63 of its Chrome browser for Windows, Mac, Linux, and Android users. Most changes in this version address under-the-hood features and bring speed improvements and better support for web standards.

Here is a short list of some of the most important changes made in the Chrome 63 release:

▬ Google has redesigned the chrome://flags section.
▬ Chrome now lets you mute sites forever.
▬ FTP links are now marked as insecure.
▬ Chrome now shows warnings against MitM attacks.
▬ Chrome now uses better site isolation.
▬ Chrome now comes with a Device Memory API that lets developers better understand how Chrome and websites use a PC's memory.
▬ Chrome now supports the Generic Sensors API, which exposes the following sensors to websites: Accelerometer, LinearAccelerationSensor, Gyroscope, AbsoluteOrientationSensor, and RelativeOrientationSensor.
Version 2 of NT LAN Manager (NTLM) API is now shipped, enabling applications to authenticate remote users and provide session security when requested by the application.
▬ Changes to how Chrome asks for user permissions, which has resulted in the decrease of the overall number of permission prompts by 50%.
▬ Developers can now make pixel-level adjustments using the new Q length unit, which is especially useful on small viewports.
▬ Developers can now prevent apps from using Chrome’s pull-to-refresh feature or create custom effects using overscroll-behavior, which allows changing the browser’s behavior once the scroller has reached its full extent.
font-variant-east-asian is now supported, allowing developers to control the usage of alternate glyphs for East Asian languages like Japanese and Chinese.
▬ Chrome can now load JavaScript modules based on runtime conditions. It previously supported only static JavaScript module loading.
▬ Chrome now includes a new mechanism for handling code that generates or iterates through data via asynchronous functions.
▬ To improve interoperability, Chrome will fire beforeprint and afterprint events as part of the printing standard, allowing developers to to annotate the printed copy and edit the annotation after the printing command is done executing.

Other changes are detailed in the official Chrome 63 changelog, here.

Security fixes, galore!

As for security fixes, Google engineers fixed 37 issues since Chrome 62. Below are the issues reported by external researchers, and by Google in-house engineers.

[$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
[$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06
[$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
[$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
[$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
[$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
[$500][766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
[$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
[$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
[$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
[$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15
[$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
[$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23
[$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
[$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
[$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
[$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17
[$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18
[$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan ( on 2017-09-26
[$N/A][792099] Various fixes from internal audits, fuzzing and other initiatives

Related Articles:

Google Removes the Option of Installing Chrome Extensions via Remote Sites

Google Chrome 67 Released for Windows, Mac, and Linux

Google Chrome to Remove “Secure” Indicator From HTTPS Pages in September

Google Says Chrome Now Blocks "About Half of Unwanted Autoplays"

FacePause Chrome Extension Pauses a YouTube Video When You Look Away