Google announced Chrome update 147.0.7727.101, addressing 31 vulnerabilities, including 5 critical ones. These critical issues could potentially allow attackers to bypass browser protections and execute code outside the sandbox environment. The vulnerabilities stem from buffer overruns in the ANGLE layer, the Skia library, and memory leaks in various components such as Prerender, virtual reality (XR), and Proxy objects.
Additionally, the update addresses Chrome’s susceptibility to hidden identification methods, which can generate browser identifiers based on indirect characteristics such as screen resolution, MIME types, specific parameters in headers (HTTP/2 and TLS), analysis of installed fonts, availability of certain Web APIs, browsing history, WebGL/WebGPU/Canvas features, audio processing methods, local IP leaks via WebRTC, TLS extension enumeration, Emoji rendering, sensor calibration, and detection of Bluetooth/USB/HID devices.
Chrome lacks built-in mechanisms to protect against hidden identification, and previous privacy initiatives like Privacy Sandbox and Privacy Budget have been limited. The update also discusses how browser add-ons can block these identification methods using content processing scripts, debugging tools like chrome.debugger, and network request analysis with chrome.webRequest. Furthermore, the storage of identifiers in unconventional areas like Favicon cache and form autofill database is highlighted.