December 11, 2023

Google released Chrome 112, a new stable version of the company’s web browser, to the Stable channel. Chrome 112 is a security update first and foremost, but it does include new features and changes as well.

The following versions should be listed after the update:

  • Chrome for Linux and Mac: 112.0.5615.49
  • Chrome for Windows: 112.0.5615.49 or 112.0.5615.50
  • Chrome for Android: 112.0.5615.47 or 112.0.5615.48
  • Chrome for iOS: 112.0.5615.46

This update includes 16 security fixes. Below, we highlight fixes that were contributed by external researchers.

High Severity CVE-2023-1810: Heap buffer overflow in Visuals.

  • High Severity CVE-2023-1811: Use after free in Frames.
  • Medium severity CVE-2023-1812: Out of bounds memory access in DOM Bindings.
  • Medium severity CVE-2023-1813: Inappropriate implementation in extensions.
  • Medium severity CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing.
  • Medium severity CVE-2023-1815: Use after free in Networking APIs.
  • Medium severity CVE-2023-1816: Incorrect security UI in Picture In Picture.
  • Medium severity CVE-2023-1817: Insufficient policy enforcement in Intents.
  • Medium severity CVE-2023-1819: Out of bounds read in Accessibility.
  • Medium severity CVE-2023-1818: Use after free in Vulkan.
  • Medium severity CVE-2023-1820: Heap buffer overflow in Browser History.
  • Low severity CVE-2023-1821: Inappropriate implementation in WebShare.
  • Low severity CVE-2023-1822: Incorrect security UI in Navigation.
  • Low severity CVE-2023-1823: Inappropriate implementation in FedCM.

Google makes no mention of exploits in the wild. While that is reassuring, it is still suggested to update to the latest Chrome version as soon as possible to protect the browser against potential attacks targeting the security issues.

The Chrome Status page for Chrome 112 lists developer related changes for the most part:

  • Deprecate the `document.domain` setter. (Deprecated)
  • Add optional submitter parameter to FormData constructor
  • CSS animation-composition property
  • CSS Nesting
  • RegExp v flag with set notation + properties of strings
  • “Reload this page” infobar no longer shown if top-level frame is observing permission changes
  • WebAssembly Tail Call
  • WebGLContextEvent on Web Workers
  • Add containerName and containerQuery, update conditionText (behind flag)
  • background-blur (behind flag)
  • Deprecate non-standard `shadowroot` attribute for declarative shadow DOM (behind flag)
  • FedCM: Auto re-authentication (behind flag)
  • APIPayment handler minimal header UX (behind flag)
  • “Reload this page” infobar no longer shown if top-level frame is observing permission changes (behind flag)
  • WebAssembly Garbage Collection (WasmGC) (Origin trial)
  • [WebRTC] Unship deprecated “track” and “stream” stats from getStats() (Origin trial)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.