Recovery Instructions: Your options. In the Application Control policy, applications are allowed by default. System administrators choose applications that they wish to block. Sophos Email is cloud email security delivered simply through Sophos Central’s easy-to-use single management console. Protect sensitive data – and your users – from unwanted and malicious email threats with the latest artificial intelligence. And with everything controlled through the Sophos Central cloud-based security platform, management is a breeze. Reduce cyber risk. Automated incident response minimizes exposure to security threats, while cross-product data sharing reveals previously hidden risks.
After delays to Chrome version 81 in March, and the scrapping of version 82 a month later, this week sees the early arrival of Chrome 83 with a longer list of new security features than originally planned.
As browser updates go, it’s a lot to take in although some of them are more tweaks to existing features than anything radically new.
It’s hard to pick out a single big feature, although for some it will be upgraded support for DNS-over-HTTPS (DoH), a privacy technology that makes it much harder for third parties (ISPs, the Government, malevolent parties) to see which web domains someone is visiting.
See our previous coverage for more explanation of the benefits of DoH (and forthcoming support for it in Windows 10) but be aware that Google still doesn’t make using this as easy as it should be.
First, it’s not turned on by default, and might not even be visible under Settings > Privacy and security > Advanced (type chrome://flags/ into the address bar and search for Secure DNS > Enable if that’s the case).
On Chrome, unlike Firefox, users still have to set up a DNS provider that supports DoH via the OS. You can test it’s working using Cloudflare’s security check.
Enhanced Safe Browsing
Chrome’s Settings pane now includes an enhanced browsing mode which monitors whether the pages a user is visiting, or downloads, have been marked by Google’s Safe Browsing as malicious or suspect.
It’s still optional which raises the issue of why users wouldn’t want this protection. One answer might simply be privacy – turned on, Google will be checking every URL and download against its own database.
Extensions
The user is now made more aware of Chrome extensions, which are now accessible through an icon in the toolbar. This is positive – numerous incidents underline that untended extensions represent a security risk.
Users can now monitor permissions from a simple toolbar icon rather than having to dig into menus, which few are inclined to do. Judging from the experimental ‘extensions checkup’ feature accessible via chrome://flags, Google plans to expand the capabilities of this in future versions.
Cookie control
It’s now possible to allow or block cookies for individual sites, including in incognito mode. The ‘clear browser data’ has now been moved to the top of Settings > Privacy and security.
Safety check
This seems to work like a one-stop check on important settings, including telling users whether specific passwords have been compromised (using the Password Checkup technology added in Chrome 79). It also checks for malicious extensions, makes sure the user is running the latest versions of Chrome, and will tell you whether Safe Browsing is turned off.
This is all good, right?
It never hurts to have more security and privacy but some of the new features (blocking cookies in incognito mode, for example) are already implemented by rival browsers. Some of what’s on offer is playing catch up.
But browser makers know most users don’t delve deeply into many of these features, so the battle has become making security and privacy easier to access in the hope this means it will be more likely to be used.
Endnote: if your Chrome install says ‘your browser is managed by organization’ (type chrome://management into address bar) then some of the features mentioned in this article might not appear immediately.
This might be because it is managed by an employer, or simply a relic of a security program that set a policy in the past. On Windows, deleting this setting requires delving into Windows regedit with respect for the adage there be dragons.
Latest Naked Security podcast
Gmail account creator bot github. LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.
Patch now, we said.
And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:
The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.
Remote play controller xbox. In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.
If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.
Object lifecycle issue in audio
Two of the eight High Severity bugs in this set of patches were apparently found in the same part of Chrome, denoted in Google’s list merely as: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research.
The first bug is numbered CVE-2021-21165, reported on 2021-02-04, a month ago; the second was dubbed CVE-2021-21166, reported a week after that on 2021-02-11.
An object lifecycle issue is a jargon way of referring to what probably amounts to some kind of memory mismanagement.
The word “object” refers, very loosely, to a block of memory containing some sort of data structure, together with a list of associated programmatic functions for manipulating that data.
Managing an object’s lifecycle means, amongst other things:
How Good Is Sophos Security
- Ensuring that the memory it uses is reclaimed by the system when the object is no longer needed.
- Taking care not to reclaim and reallocate the memory while the object is still being used.
- Not doing any calculations on the object before its memory has been assigned and initialised.
- Not doing the wrong sort of calculations on the data in an object, such as trying to treat a JPEG file as a PNG, or assuming that an audio clip has 16 bits per audio sample when it only has 8 bits.
- Stopping two different parts of the program from clashing over access to the object.
Exploit in the wild
We don’t know what form these particular bugs took, given that the Chromium team’s discussion of the bugs in this release still seems to be in “keep-it-private-to-stave-off-the-crooks-a-while-longer” mode.
But we do know that at the end of this month’s bug list you will see an almost casual sentence saying that:
Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild.
In vernacular language, that means “this is a zero-day bug.”
In this context, “zero-day” denotes that the crooks got there first, so that there were literally zero days on which even the fastest-patching sysadmin could have been ahead of the Bad Guys.
Who’s exploiting this bug, in which parts of the world, against whom, and with what sort of outcome, we don’t yet know.
We’re assuming that some sort of remote code execution attack (RCE) is involved, in which case this bug, when successfully triggered, could lead to crooks implanting malware on your computer without you noticing at all, let alone agreeing to download or install any files.
We’re also assuming, given that this bug apparently has something to do with audio processing, that the bug can be deliberately and remotely triggered by serving up some audio-related data via a booby-trapped web page.
What to do?
As always in a zero-day report of this sort, don’t worry too much about the exact hows and whys just yet – assume that some kind of “drive-by” RCE is possible, so that just visiting a booby-trapped site might be enough to drop malware onto your computer, and therefore patch right away.
To check what version you have, click the three-lines icon (the “hamburger menu”) in the top right corner.
For Chrome, go to Help > About Chrome. For Chromium simply click About Chromium.
(In either browser, you can also put the special URL chrome://settings/help into the address bar.)
The version you are looking for is 89.0.4389.72 or above.
If you aren’t up-to-date, use the Update Google Chrome option on Windows or Mac to force an update.
If you’re on Linux and your version of Chrome or Chromium is provided by your distro maker, check back with your distro for update details.
Sophos Chrome Security Update
Chrome Security Extensions
Note: If you are using Microsoft Edge, which is based on the Chromium source code but has a different version number sequence, the version to look for is 89.0.774.45 or above.