Chrome 64 is out

Google just announced the new Chrome final release for Android and all other platforms. An explicit log-file can be found here. Security updates were one of their focus, Meltdown & Spectre got fixes among several other WebGL and URL related fixes. Starting with Chrome 64, autoplay videos are disabled by default



  • [$3000][780450] High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01
  • [$2000][787103] High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20
  • [$1000][793620] High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09
  • [$4000][784183] Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein ( on 2017-11-12
  • [$2500][797500] Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
  • [$2000][789952] Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK’s National Cyber Security Centre (NCSC) on 2017-11-30
  • [$1000][753645] Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09
  • [$1000][774174] Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12
  • [$1000][775527] Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17
  • [$1000][778658] Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-26
  • [$500][760342] Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29
  • [$500][773930] Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12
  • [$500][785809] Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16
  • [$TBD][797497] Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23
  • [$TBD][798163] Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31
  • [$TBD][799847] Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08
  • [$500][763194] Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08
  • [$500][771848] Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05
  • [$500][774438] Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-13
  • [$500][774842] Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15
  • [$N/a][441275] Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11
  • [$N/A][615608] Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28
  • [$N/A][758169] Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23
  • [$N/A][797511] Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24
  • [$N/A][805285] Various fixes from internal audits, fuzzing and other initiatives


The official changelog for the Android version is not as long as the rest, but Google notes on their Blog that Chrome 64 for Android prevents sites with an abusive ad experiences from opening new windows or tabs without user permission. This isn’t their integrated ad-blocker yet, but it’s a technique which e.g. blocks other website requests which can’t be controlled by the user like automatically redirections. It in theory also blocks the annoying popups which want you to install fake updates.

Android v64

Audio Muting

This version also adds a new site-wide audio muting setting as part of Google’s push for more consistent media autoplay behavior. On Android, heading to Settings > Site settings will reveal a new Sound menu. Here users can mute sites from playing audio (set to Allow by default), as well as add exceptions.

Improved pop-up blocker

An easier integration was integrated which allows clicked play buttons and site controls to be configured by the user needs. Transparent overlays can be also be blocked from opening new tabs or windows.




Comments are closed.

Blog at

Up ↑

%d bloggers like this: