Google this week released Chrome 66 for Windows, macOS and Linux, patching 62 vulnerabilities, banning older site certificates issued by security giant Symantec, and refusing to run auto-play content unless the volume was muted.
Chrome updates in the background, so users only need relaunch the browser to install the latest version. (To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button.) Those new to Chrome can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six or seven weeks. It last upgraded the browser on March 6.
While some Chrome upgrades, like version 65, are almost entirely about under-the-hood changes, others feature oh-so-obvious new functionality. Still other upgrades boast a mix-a-lot blend of the two. Chrome 66 is definitely in that third camp.
The most visible Chrome 66 enhancement is the arrival of Google's long-discussed ban on auto-play content that dared blare sound from the speakers. Chrome's blockade of such content was first announced last year, when version 64 was to debut the feature. But the mandate did not go live in January, as expected, nor in March with Chrome 65. The ban has finally been made the default in Chrome 66.
Some exceptions apply: If the user clicks or taps (desktop or mobile, respectively), "somewhere on the site during the browsing session," the audio will play. On personal computers, Google tracks behavior and "if the user has frequently played media on the site, according to the Media Engagement Index" (MEI), audio will play. The MEI, according to a Google explanatory document, "provide[s] a metric reflecting the engagement of a given user with regards to media playback on a given origin." The goal, said Google, is to let websites with high MEI scores bypass the no-sound-in-autoplay-content rule. Users can peruse their MSI status by typing chrome://media-engagement into Chrome's
Chrome 66 also sports some under-the-covers newness, including a trial of "Site Isolation" in preparation for a broader launch later. Site Isolation, which was revealed in December, is a new security technology meant to mitigate risks posed by Spectre, the processor vulnerability sniffed out by Google's own engineers earlier in 2017.
The optional defense - users must manually switch it on - will eventually be made the default in Chrome. But first Google wants to test it on a limited pool of users after addressing earlier issues when it was enabled. Users can decline to participate in the trials by typing chrome://flags/#site-isolation-trial-opt-out in the address bar and then changing "Default" to "Opt-out (not recommended)."
Another big background alteration in Chrome 66 is the move to mark as untrustworthy older digital certificates from Symantec. With its newest version, Chrome labels Symantec-issued certificates generated before June 1, 2016, as insecure. Websites that failed to replace those certificates may be affected as the browser spews messages, some explicit, others subtler, telling users that the connection between them and the destination is insecure, and thus potentially dangerous.
Later this year, Chrome 70 - now set to roll out during the week of Oct. 14-20 - will distrust every Symantec certificate, no matter when it was issued.
The dispute between Google and Symantec over certificates, and Chrome's ban, goes back to 2015, when several browser makers, Google included, accused Symantec and its partners of improperly issuing certificates. Google, for one, concluded that Symantec's problems were endemic.
Google also patched more than 60 security vulnerabilities in version 66, including two marked as "Critical," the most serious ranking in the company's four-step system, and six tagged as "High." The two critical vulnerabilities were reported by researcher Ned Williamson, on March 28 and 30; Google's fast patching was almost certainly due to their seriousness.
Google shelled out $34,000 for reporting 19 of the bugs, with several bounties, including Williamson's, still to be decided.
Chrome's next upgrade, version 67, should start reaching users May 29.