Google acknowledges a serious vulnerability in its software and then releases an update that makes it more “like macOS.” It really is a big deal when Chrome, Google’s trillion-dollar marketing machine, runs on Microsoft Windows.
“Cybercriminals use cookie theft infostealer malware to threaten our users’ safety and security,” Will Harris from Chrome’s Security Team wrote on Tuesday. “Today, we are announcing another layer of protection that will make Windows users safer from this type of malware.”
There’s one other noteworthy aspect of this update – cookies. In this month’s headlines, Google has thrust the nasty tracking cookies into the spotlight. It also affects session cookies, which authenticate your identity as you move between apps without logging in again.
“Chrome currently secures sensitive data like cookies and passwords using the strongest security methods the OS makes available to us,” Harris explains. In Windows, Chrome uses the Data Protection API (DPAPI) to protect data at rest against cold boot attacks or other users on the system. The DPAPI does not prevent malicious applications from running code as the logged-in user, which infostealers exploit.”
“A new protection for Windows”, Chrome’s proposal updates DPAPI to introduce “application-bound” encryption. On Windows, Chrome will encrypt data tied to app identity, similar to Mac OS’s Keychain.
The new security will begin protecting cookies with Chrome 127, but Google says it’ll expand it in the future. The protection will be expanded to passwords, payment data, and persistent authentication tokens in future releases, further protecting users from infostealer malware. This isn’t necessarily a catch-all, but it will make attacks harder and easier to detect.
It is a real problem for Chrome to steal session cookies, and there are initiatives to bind the cookies to device IDs. This will prevent cookies from being stolen from one device and being used by another on the home device. Malware can, however, infect a home device, causing the cookie to appear to be used by its authorized user. Using this update, other applications on the system cannot decrypt the same data.
Chrome is so dominant across Windows that this is more of a change to the core OS than a change to the browser. Chrome’s security team did a good thing by saying a few words about Mac’s way of working-which is timely given CrowdStrike’s comparison between Windows and Mac. The bigger cookie news of the week remains those devilish tracking cookies, which may get lost in the noise.