Google on Tuesday announced improved cookie protections in Chrome on Windows and rolled out a Chrome 127 security update to resolve three vulnerabilities reported by external researchers.
The most severe of the resolved security defects is CVE-2024-6990, a critical-severity uninitialized use issue in Dawn, the open source implementation of the WebGPU standard, Google’s advisory reads.
The remaining two flaws are high-severity bugs: an out-of-bounds read in WebTransport (CVE-2024-7255), and insufficient data validation in Dawn (CVE-2024-7256).
Google says it has yet to determine the bug bounty amounts to be paid to the reporting researchers. The latest Chrome iteration is now rolling out as versions 127.0.6533.88/89 for Windows and macOS, and as version 127.0.6533.88 for Linux.
Google makes no mention of any of these vulnerabilities being exploited in the wild but users are advised to update their browsers as soon as possible.
After announcing last week that it will keep third-party cookies in Chrome, the internet giant has introduced a new protection in Chrome 127 on Windows to prevent information stealers and other malicious applications from accessing browser cookies.
Following the introduction of Device Bound Session Credentials (DBSC) in April to prevent cookie theft by binding browser authentication sessions to the device, Google is now adding Application-Bound (App-Bound) Encryption primitives to improve the Data Protection API (DPAPI) used on Windows for cookie protection.
“Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity,” the internet giant explains.
While Chrome 127 migrates cookies to this new system, future browser releases will expand the protection to passwords, authentication tokens, and payment data, to better protect users’ secrets from infostealers.
“App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app’s identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail,” the company explains.
The App-Bound service runs with system privileges, which means that simply installing a malicious application will not be enough to steal the secrets. Instead, the malware needs system privileges or to inject code into Chrome, making it susceptible to antivirus detection.
The protection, which works in tandem with providing event logs for cookie decryption, is particularly efficient in enterprise environments where users are not allowed to run files with administrator privileges, meaning that malware cannot request elevated privileges.
However, because App-Bound Encryption binds the encryption key to the machine, it will not work if Chrome profiles roam between multiple systems, Google explains.
“App-Bound Encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system,” Google notes.
Related: Google Boosts Chrome Protections Against Malicious Files
Related: Chrome 127 Patches 24 Vulnerabilities
Related: Google Unveils New Chrome Enterprise Core Features for IT, Security Teams