Earlier last week, Google released Chrome 88, adding capabilities to the browser’s password manager; streamlining permission requests from sites that asked, say, to switch on the microphone; and for enterprises, ending support for an add-on that called up Microsoft’s Internet Explorer (IE) to render old intranet websites and legacy apps.
The Mountain View, Calif. search giant also paid out more than $81,000 in bounties to security researchers who reported some of the 36 vulnerabilities addressed in Chrome 88. One of the bugs was marked “Critical,” Google’s top-most threat level (and resulted in a $30,000 reward to its finder, researcher Rory McNamara). Nine others were tagged as “High,” the second-most-serious ranking. A number of the bounties — 10, including three of those labeled “High” — had not yet been assigned a dollar amount, so Google’s final payout will certainly be higher than the acknowledged total.
Because Chrome updates in the background, most users can finish a refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. People new to Chrome can download version 88 for Windows, macOS and Linux directly. The Android and iOS browsers can be found in the Google Play and App Store e-markets, respectively.
Google updates Chrome about every six weeks; the previous upgrade was released Nov. 17.
Check passwords inside Chrome
Google drew the most attention to changes to Chrome’s password manager, dedicating a post in the company’s security blog to the improvements. “As we kick off the New Year, we’re excited to announce new updates that will give you even greater control over your passwords,” said Ali Sarraf, a Chrome product manager, in that post.
Chrome, like every other major browser, has long sported a baked-in password manager; Google has used earlier upgrade cycles to brace up that manager, making it equivalent, more or less, to those in rivals Edge (Microsoft) and Firefox (Mozilla).
In Chrome 88, the integrated password manager — reached by clicking the key-like icon after clicking the user account in the upper right — boasts an in-browser password checker that quickly identifies weak passwords and/or those which probably have been revealed in past data breaches. (This service, dubbed “Safety Check,” debuted in May 2020; Google claimed that since then, it’s seen a 37% reduction in compromised credentials stored in its browser.)
Depending on the result of the check, one or more of the stored-in-Chrome passwords may be labeled “Change password.” This is the second improvement in Chrome 88’s password infrastructure. “Starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too),” Sarraf said.
Clicking on the “Change password” box beside a weak or previously-revealed account will, most of the time though not always, take the user to the pertinent website’s log-in screen or even the page for creating a new password.
“The new features with Chrome 88 will be rolled out over the coming weeks,” noted Sarraf, referring to Google’s usual in-stages upgrades, a cautionary approach that prevents the entire user base from being affected by an unexpected bug or even customer blowback.
New permission chip, not slip
Google seeded Chrome 88 with a new permissions request that the firm called a “chip” to differentiate it from the usual pop-up prompt. “This change will be rolled out gradually throughout Chrome 88,” Google said in the browser’s release notes.
The chip, a small UI element at the left end of the address bar, is less intrusive than the typical pop-up. (When Computerworld enabled the chip, it appeared as a blue oval enclosing the words “Use your location?” After a few moments, the oval shrunk to a small blue circle. Clicking on the chip displayed the usual location request pop-up.)
“Since the prompt doesn’t intrude in the content area, users who don’t want to grant the permission no longer need to actively dismiss the prompt,” Google said after arguing that many users immediately dismiss such permission requests simply to clear the screen.
Users whose copy of Chrome hasn’t yet received the chip update will have to type chrome://flags, search for #permission-chip, change the field at the right to “Enabled” and relaunch the browser to see the feature.
On the enterprise side…
Google disabled all installed copies of the Legacy Browser Support (LBS) add-on with Chrome 88. Now coded into Chrome, LBS was designed so IT admins could deploy Google’s browser but still call up IE to render apps or sites that need that browser.
LBS — the extension, not the technology itself — has been on a road to extinction for some time and accelerated from Chrome 85 on. At this point, even enterprise policies that allowed IT staff to force install the add-on or mandate its continued operation no longer work.
Chrome has its work cut out here as even with LBS now part of the browser, it’s at a substantial disadvantage to Edge and Microsoft’s IE mode. That’s largely because Edge and IE mode are tied to Windows 10’s Enterprise Mode Site List and the latter’s myriad configuration options.
Elsewhere in the release notes for Chrome 88, Google reminded users that the macOS version of the browser requires OS X 10.11 (aka “El Capitan”) or later. Chrome will no longer run on Macs powered by 2014’s OS X 10.10, better known as Yosemite. This edition of Chrome also is the first to support extensions written in the new Manifest V3 format, which Google has declared will be more secure than the current add-on framework and offer users more granular control over extensions’ impact on privacy.
The next upgrade, Chrome 89, will be released in six weeks, on March 2.
Google this week released Chrome 87, boosting performance with “the largest gain … in years” and featuring a reworked user interface for the browser’s built-in PDF viewer.
The Mountain View, Calif. company also paid out more than $42,000 in bounties to security researchers who reported some of the 33 vulnerabilities addressed in Chrome 87. Ten of the bugs were marked “High,” Google’s second-most-serious threat level. (Critical vulnerabilities are very unusual in Chrome.) A large number of the bounties — seven of the 10 tagged High — had not been yet given a dollar amount, so the actual payout will certainly be significantly higher than the acknowledged amount.
Because Chrome updates in the background, most users can finish the refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. People new to Chrome can download version 87 for Windows, macOS and Linux directly. The Android and iOS browsers can be found in the Google Play and App Store e-markets, respectively.
Google updates Chrome about every six weeks; the previous upgrade was released Oct. 6.
Tabs at the top of the list
Google rarely trumpets a Chrome release with an accounting of new features and functionality, but it broke with precedent for Chrome 87, which it bragged about in a long post to the browser’s blog and another to the Chromium team’s blog.
“This month’s update represents the largest gain in Chrome performance in years, thanks to many under-the-hood improvements,” wrote Matt Waddell, director of product for Chrome, in the Nov. 17 post.
According to Waddell, Chrome 87 loads pages up to 7% faster than before, starts up as much as 25% quicker and uses less memory doing so. Other improvements, specifically several related to Chrome’s tabs infrastructure, reduce processor usage by as much as five times, extending notebook battery lifespans up to one-and-a-quarter hours.
Google has been working on tabs for months, promising performance increases driven by throttling background tabs to a mere fraction of CPU time, then waking those tabs only when they’re brought into the foreground. Some Chrome users will see the tab throttling in action (and get the performance improvement) with this version, but Google will continue rolling out the functionality through at least Chrome 88, which is slated for a January 2021 debut.
Other tab-related changes will come to the browser, Waddell promised, including a tab-specific search tool accessed from the toolbar. Searches will be conducted not only on the active browser window, but on all Chrome Windows. This will appear in Chrome OS first, “then to other desktop platforms soon,” Waddell said.
Chrome goes native on Apple’s homegrown silicon
Chrome PDF viewer — the UI (user interface) which displays these documents and offers some limited manipulation — has also been enhanced in version 87.
Another long-promised change, the improved viewer sports a toolbar that collects previous functions — such as zooming in and out on the document — as well as new options, like the current page number and a fit-to-width command, in one place. The new viewer also includes a two-up view — two pages, shown side by side — a mode to see added annotations and a sidebar with page thumbnails.
Also debuting in Chrome 87, according to Waddell, is a new address bar function dubbed “Chrome Actions,” which is a group of text shortcuts that users can type into the bar — rather than a search string, for instance — to access a variety of browser commands, features and settings.
The initial set of actions, implying that more will be added later, include edit passwords to open the browser’s password manager (usually reached via the Settings page) and translate this to translate the current page.
As so often is the case, these actions may not be immediately available to most users. “This update will be progressively rolling out over the coming weeks,” Google said in the support document of Chrome Actions. “A wider rollout is planned for a later release,” the company said elsewhere.
Chrome 87 has also been compiled for the Apple-made M1 system-on-a-chip (SoC), the ARM-based silicon that powers the new MacBook Air, MacBook Pro and Mac Mini. (Other than Apple’s own Safari, Chrome is the only browser to run natively on M1 Macs.)
Unlike rival Firefox, Chrome can be downloaded from Google’s site as a native app, which should run faster than a copy of the browser translated by Rosetta 2 on the newest Macs. To get the native version of Chrome, users must manually download it, choosing the “Mac with Apple chip” option. The standard update process will just update the Intel-based version of Chrome, which will need to be translated by Rosetta 2 again. Later, Google will make good and give users with a M1 Mac the native application.
“If you don’t download the update directly from our Chrome download page, it will be delivered automatically to your device over the coming weeks,” a Chrome support manager wrote.
And enterprise stuff, too
On the enterprise side, Google warned commercial customers that Microsoft’s move to automatically redirect more than a thousand different URLs from Internet Explorer (IE) to the Chromium-made Edge “might interfere with your existing setup” if they were using Legacy Browser Support. (That latter is the baked-into-Chrome functionality that sends links on an administrator-made list to IE for that browser to open.)
Google advised IT administrators to disable the IE-to-Edge redirection by setting the Edge policy RedirectSitesFromInternetExplorerRedirectMode to 0.
Also, said Google, Chrome 87 will be the first version able to complete remote commands sent by IT admins via Chrome Browser Cloud Management. That capability, which might be used, say, to remote clearly browsers’ caches or delete their cookies, will “come to the Admin console in the future.”