Google says its new Chrome 63 brings a major enterprise security boost.
With Chrome 63, businesses can also configure policies to restrict access to extensions based on the permissions required.
Google’s latest effort to pry businesses off Internet Explorer and keep them away from Windows 10 Edge is a new security feature called site isolation, which handles each page in its own process.
With the release of Chrome 63, enterprise admins will be able to configure Chrome to render content for each site in its own dedicated process.
As Google notes, keeping each site isolated from other sites in Chrome offers enterprises the strongest security. The technique is designed to thwart attacks that exploit vulnerabilities in the renderer process to run malicious code inside Chrome’s render sandbox and steal information.
However, it does come with a significant overhead, bumping up Chrome’s memory usage on PCs by between 10 and 20 percent.
Chrome’s optional, per-site isolation comes as Microsoft continues to harden Windows 10 Edge using hardware-based virtualization through tools such as Windows Defender Application Guard (WDAG), which allow Edge to run in an isolated hardware environment.
In October, Microsoft argued that WDAG marked a major breakthrough in sandbox technology since it offers a shield against attacks on the kernel, which is unprotected if an attack escapes the browser sandbox.
The good news for end-users is that Google and Microsoft are competing fiercely on the security front, adopting different approaches to protect against new attacks.
The one-site-per-process feature has been an equally important project for Chrome. Justin Schuh, engineering lead for Chrome security, earlier this year said site isolation was the biggest difference in Google’s approach to security and would make it superior Microsoft’s new Edge defenses. The technology promises to prevent remote code execution inside Chrome’s renderer sandbox.
Admins can choose to turn on Chrome’s site isolation for all sites or select a list of websites to isolate to run in their own rendering process. Google suggests including sites that users log into and important sites such as productivity site or intranet.
Chrome now also offers admins the ability to set a policy that blocks access to extensions based on the permissions they require.
This feature adds to the ability to whitelist and blacklists certain Chrome extensions. Admins have a large selection of permissions to block, including audio capture, USB, and video capture.
Additionally, Chrome 63 introduces Transport Layer Security version 1.3, which is enabled for Gmail in the updated browser.
Google is bringing NTLMv2 support to Mac, Linux, Android and Chrome OS. NTLM or NT LAN Manager is a Microsoft authentication protocol for Windows.
Chrome 64, due out in early 2018, includes support for NTLMv2 and Extended Protection for Authentication. Chrome’s support for non-Windows platforms brings Chrome on these to the same level as Chrome on Windows.
The company will also offer admins some leeway on an incoming crackdown on antivirus software that injects code into Chrome processes. Google argues that this is an outdated process that causes crashes.
Chrome warnings will advise users to uninstall the antivirus. It is encouraging vendors to use other methods, such as Chrome extensions and Native Messaging. Starting with Chrome 66 in April 2018, users may see a notification to update or remove the offending application.
To cater to business, Google will offer a new policy that gives admins extended support for critical apps that need to inject code into Chrome to function.
Finally, Chrome 63 includes fixes for 37 vulnerabilities. Google paid researchers $46,174 for reporting the Chrome bugs, including an award to Microsoft’s Offensive Security Research Team.