Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.
In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:
Support for the new Cookie Store API;
New features to allow easier modification of web fonts via CSS;
A new feature to let websites enumerate all the locally installed fonts;
Support for pan, tilt, and zoom controls on webcam streams; and,
Support for debugging WebAuthn operations via the Chrome DevTools.
NAT Slipstream attack fixes
This technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.
Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.
Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.
Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81 but due to Covid this got delayed
The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.
Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.
Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.