By Click&Clean - Wednesday, October 18, 2023. Following the major Chrome 117 update four weeks ago, Google released the next significant Chrome update to version 118 via the Stable channel on Tuesday, October 10, for Windows, Mac, Linux, iOS, and Android platforms. Chrome 118 is primarily a security update, but it also includes new features, improvements, and changes.
The latest version of Chrome Stable 118 addressed 20 security bugs, including 14 reported by external researchers. One of the security vulnerabilities is rated as a critical security issue, six high-risk flaws, two medium-risk bugs, and five issues are assessed as low-risk vulnerabilities.
Use-after-free in Site Isolation (CVE-2023-5218 ) - The vulnerability exists due to a bug in the Site Isolation component in Chrome web browser. This security flaw allows a remote cyber-attacker to cause a use-after-free error that could potentially allow them to execute arbitrary code on the target system when the user visits a specially crafted malicious HTML web page.
Inappropriate implementation in Fullscreen (CVE-2023-5487 ) - Successful exploitation of the vulnerability could allowed a remote cyber-attacker to bypass navigation restrictions using a malicious Chrome extension, tricking the user into installing it and then gaining access to sensitive information.
Inappropriate implementation in Navigation (CVE-2023-5484 ) and Downloads (CVE-2023-5481 ) - This bug allows a remote attacker to spoof user interface (UI) content via a specially crafted malicious web page.
Inappropriate implementation in DevTools (CVE-2023-5475 ) - This security vulnerability allow a remote cyber-attacker who has tricked a user into installing a malicious extension to bypass discretionary access control via a crafted Chrome Extension and then gain access to the user's sensitive information.
Inappropriate implementation in Intents (CVE-2023-5483 ) - This flaw allows a cyber-attacker to bypass content security policy when the user visits a specially crafted malicious HTML web page.
Inappropriate implementation in Extensions API (CVE-2023-5479 ) - This security flaw allows an attacker to trick the user into installing a malicious extension to bypass an enterprise policy through a crafted malicious web page and gain access to sensitive information.
Use-after-free in Blink History (CVE-2023-5476 ) - This security bug allow a remote cyber-attacker to trick the user into visiting a malicious web page, then trigger a use-after-free error and gain access to the user's sensitive information.
Heap-baced buffer overflow in PDF (CVE-2023-5474 ) - This vulnerability allows a remote attacker, after convincing a user to perform certain actions, to potentially exploit heap corruption using a specially crafted malicious PDF file and execute arbitrary code on the target system.
If you are still using an outdated, insecure version of your web browser, we recommend that you immediately update your Chrome web browser to the latest stable version to stay protected from potential cyber-attacks and other potential security threats.
The following versions (at the time of writing) of Chrome web browser should be listed on the "About Chrome" page after the security update is installed:
• Chrome versions 118.0.5993.88 and 118.0.5993.89 on Windows
• Chrome version 118.0.5993.88 on Linux and Mac
• Chrome Extended version 118.0.5993.71 on Windows
• Chrome Extended version 118.0.5993.70 on Mac
• Chrome version 118.0.5993.92 on iOS
• Chrome version 118.0.5993.80 on Android
• In Chrome 118, Google introduced support for Encrypted Client Hello (ECH) to enhance user security and privacy. ECH increases user privacy because network operators can no longer know what sites and services the user is accessing in the browser.
• Another security feature in Chrome 118 gives Google the ability to remotely and automatically disable malicious extensions that weren't installed from the Chrome Web Store by "Safe Browsing" servers. To activate this feature, you need to enable "Enhanced Safe Browsing" in your web browser.
• If "Enhanced Safe Browsing" is enabled, Chrome can now deeply scan encrypted archives such as ZIP, 7 ZIP, RAR, and other archive files, and prompt the user to provide the archive password along with the file contents.
• Chrome 118 now supports creating and using passkeys from iCloud Keychain. Passkey support can be managed via chrome://password-manager/settings. This feature works starting with Chrome version 118 on macOS 13.5 and later.