Chrome 88
Google earlier this week released Chrome 88, adding capabilities to the browser's password manager; streamlining permission requests from sites that asked, say, to switch on the microphone; and for enterprises, ending support for an add-on that called up Microsoft's Internet Explorer (IE) to render old intranet websites and legacy apps.
The Mountain View, Calif. search giant also paid out more than $81,000 in bounties to security researchers who reported some of the 36 vulnerabilities addressed in Chrome 88. One of the bugs was marked "Critical," Google's top-most threat level (and resulted in a $30,000 reward to its finder, researcher Rory McNamara). Nine others were tagged as "High," the second-most-serious ranking. A number of the bounties — 10, including three of those labeled "High" — had not yet been assigned a dollar amount, so Google's final payout will certainly be higher than the acknowledged total.
Because Chrome updates in the background, most users can finish a refresh by relaunching the browser. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a "Relaunch" button. People new to Chrome can download version 88 for Windows, macOS and Linux directly. The Android and iOS browsers can be found in the Google Play and App Store e-markets, respectively.
Google updates Chrome about every six weeks; the previous upgrade was released Nov. 17.
Check passwords inside Chrome
Google drew the most attention to changes to Chrome's password manager, dedicating a post in the company's security blog to the improvements. "As we kick off the New Year, we're excited to announce new updates that will give you even greater control over your passwords," said Ali Sarraf, a Chrome product manager, in that post.
Chrome, like every other major browser, has long sported a baked-in password manager; Google has used earlier upgrade cycles to brace up that manager, making it equivalent, more or less, to those in rivals Edge (Microsoft) and Firefox (Mozilla).
In Chrome 88, the integrated password manager — reached by clicking the key-like icon after clicking the user account in the upper right — boasts an in-browser password checker that quickly identifies weak passwords and/or those which probably have been revealed in past data breaches. (This service, dubbed "Safety Check," debuted in May 2020; Google claimed that since then, it's seen a 37% reduction in compromised credentials stored in its browser.)
Depending on the result of the check, one or more of the stored-in-Chrome passwords may be labeled "Change password." This is the second improvement in Chrome 88's password infrastructure. "Starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome's Android app will be getting this feature soon, too)," Sarraf said.
Clicking on the "Change password" box beside a weak or previously-revealed account will, most of the time though not always, take the user to the pertinent website's log-in screen or even the page for creating a new password.
"The new features with Chrome 88 will be rolled out over the coming weeks," noted Sarraf, referring to Google's usual in-stages upgrades, a cautionary approach that prevents the entire user base from being affected by an unexpected bug or even customer blowback.
New permission chip, not slip
Google seeded Chrome 88 with a new permissions request that the firm called a "chip" to differentiate it from the usual pop-up prompt. "This change will be rolled out gradually throughout Chrome 88," Google said in the browser's release notes.
The chip, a small UI element at the left end of the address bar, is less intrusive than the typical pop-up. (When Computerworld enabled the chip, it appeared as a blue oval enclosing the words "Use your location?" After a few moments, the oval shrunk to a small blue circle. Clicking on the chip displayed the usual location request pop-up.)
"Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt," Google said after arguing that many users immediately dismiss such permission requests simply to clear the screen.
Users whose copy of Chrome hasn't yet received the chip update will have to type chrome://flags, search for #permission-chip, change the field at the right to "Enabled" and relaunch the browser to see the feature.
On the enterprise side...
Google disabled all installed copies of the Legacy Browser Support (LBS) add-on with Chrome 88. Now coded into Chrome, LBS was designed so IT admins could deploy Google's browser but still call up IE to render apps or sites that need that browser.
LBS — the extension, not the technology itself — has been on a road to extinction for some time and accelerated from Chrome 85 on. At this point, even enterprise policies that allowed IT staff to force install the add-on or mandate its continued operation no longer work.
Chrome has its work cut out here as even with LBS now part of the browser, it's at a substantial disadvantage to Edge and Microsoft's IE mode. That's largely because Edge and IE mode are tied to Windows 10's Enterprise Mode Site List and the latter's myriad configuration options.
More information about using LBS with Chrome can be found here.
Elsewhere in the release notes for Chrome 88, Google reminded users that the macOS version of the browser requires OS X 10.11 (aka "El Capitan") or later. Chrome will no longer run on Macs powered by 2014's OS X 10.10, better known as Yosemite. This edition of Chrome also is the first to support extensions written in the new Manifest V3 format, which Google has declared will be more secure than the current add-on framework and offer users more granular control over extensions' impact on privacy.
The next upgrade, Chrome 89, will be released in six weeks, on March 2.