Google Workspace Updates Weekly Recap – October 11, 2024

1 New update

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.




Create an email for a Google Chat space from the Admin console  
Earlier this year, we introduced a new feature that enables users to send emails to spaces in Google Chat. When this launched, existing Google Group policies determined by the domain admin were respected. For example, if the admin restricted group creation in their organization, users would also be restricted from generating emails for spaces in Chat. To improve upon this experience, we’re happy to announce that admins can now create an email for a space from the Admin console. To do so, navigate to Google Chat > 'Manage spaces' > select a space > 'Space settings' > click 'Generate email' to create an email address for the space. In addition, email conversations sent to spaces will now show replies in a thread instead of as separate cards in the message stream. | The Admin console update is rolling out now to Rapid Release and Scheduled Release domains. Threading for emails in spaces will rollout to Rapid Release and Scheduled Release domains starting on October 17, 2024. | Available to all Google Workspace customers. | Visit the Help Center to learn more about sending emails to spaces in Chat.
Generating a space email in the Admin console
Generating an email in the Admin console



Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


New document tabs in Google Docs provide a better way to organize your documents 
We’ve introduced document tabs in Google Docs, a new feature to help you organize longer documents, centralize information, and make collaboration easier. | Learn more about tabs in Docs. 


New and improved widgets for Google Chat app cards 
This week, we introduced new and improved widgets for Chat app cards. | Learn more about widgets for Chat app cards. 


Ask responders for a rating in Google Forms 
To add to the list of question types that users can respond to in Google Forms and enable the collection of feedback in a more engaging way, we’re introducing a rating question type. | Learn more about rating questions in Forms.


Send video messages in Google Chat 
We’re introducing video messages in Chat, a new capability that helps you save time, convey more information, add tone or emphasis, and can be useful in a number of scenarios. | Learn more about video messages in Chat. 


Transcriptions now available for voice messages in Google Chat 
Users will now be able to see an automatic transcription of voice messages in Chat on web and mobile. | Learn more about Chat transcriptions. 


Automate meeting recording, transcripts and notes for your Google Meet meetings 
Admins now have the option to configure meeting recordings, meeting transcripts, and “take notes for me” as on by default for newly created meetings. Meeting hosts and co-hosts can edit these settings in the Calendar invite, as well as turn these artifacts off during the meeting. | Learn more about automating meeting recordings, transcripts and notes for meetings. 


Third-party smart chips now available in Google Sheets
Users can now add smart chips that pull information from third party apps into Sheets, and also paste third-party chips inserted in Docs directly into a spreadsheet. | Learn more about third-party smart chips in Sheets. 


Easily find and connect to featured partner apps from the Google Workspace Marketplace 
We’re adding a new category within the Google Workspace Marketplace: Featured partner apps. Here, you can quickly find and install the most popular Google Workspace apps. | Learn more about partner apps Marketplace.


Available in open beta: Easily migrate files from Microsoft OneDrive to Google Drive
Under the umbrella of our data migration services, we’re introducing a new file migration service for Admins to transfer files between OneDrive data to Google Drive for up to 100 users at a time. | Learn more about migrating files from OneDrive to Google Drive.


Improve Google Meet livestreaming experience with more insight on eCDN performance
We’re enhancements that will give admins greater insight to better optimize their eCDN configuration. | Learn more about Meet livestreaming. 



Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains: 
Scheduled Release Domains: 
Rapid and Scheduled Release Domains: 
For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).   


Improve Google Meet livestreaming experience with more insight on eCDN performance

What’s changing 

In July 2024, we introduced Enterprise Content Delivery Network (eCDN) support for Google Meet, which helps reduce live streaming bandwidth consumption to a fraction of the traffic volume. Today, we are announcing enhancements that will give admins greater insight to better optimize their eCDN configuration. 


eCDN is deployed according to settings and rules configured by admins to control and optimize peering across their network topology. Beginning today, admins can turn on client debug logs in the Admin console to get detailed information and better understand how configurations affect the way clients use eCDN in different parts of their private network. This information includes:
  • Device status: information about the client's current state.
  • Network: information about the network assigned to the client (potentially through a custom rule configuration).
  • Stats: performance information about how the client has used the eCDN such as transfer rates and peer connections.

Who’s impacted

Admins

Why you’d use it

Understanding how peering rules affect the way clients use eCDN is vital for achieving bandwidth savings targets. Access to detailed information lets administrators deploy eCDN faster across their subnets while all the time being able to monitor that their rules have the intended effect. Additionally, in cases where support is needed, the information contained in the debug logs helps with troubleshooting to resolve issues faster.

Getting started

Available in open beta: Easily migrate files from Microsoft OneDrive to Google Drive

What’s changing

Under the umbrella of our data migration services, we’re introducing a new file migration service for Admins to transfer files between OneDrive data to Google Drive for up to 100 users at a time. Available directly under the Admin console, super admins can now migrate all your files and folders, as well as their corresponding access permissions with shared members. Starting a migration entails a few simple steps:

  • First, connect to the Microsoft OneDrive account you want to transfer files from
  • Next, set the migration scope by identifying the email addresses of Microsoft OneDrive users that you wish to migrate.
  • Finally, create an identity map to connect users on the source account to users on the target account.


Admin console > Data > Data import & export > Data migration > Go to data migration > Microsoft OneDrive





The console will provide reporting on the migration progression and metrics such as how many users have been processed, how many files have been migrated or skipped, and more. You’ll also have the option to export a migration report to further investigate errors and access troubleshooting tips directly from the tool. You can also make delta updates to migrate any new files that were added or updated after a previous migration. 

Example of a completed migration

Who’s impacted

Admins

Why you’d use it 

Data migrations play a critical role in ensuring a seamless transition between various tools and Google Workspace for both admins and end users. Workspace now offers a first party solution that allows our customers to migrate their data at scale, and without the need for third-party workarounds or on-premises infrastructure. This will significantly reduce the overall migration process and onboarding time to Google Workspace, saving customers considerable administrative and infrastructural costs. Additionally, it ensures minimal interruption for end users, who will be able to access all of their files and documents within Google Drive.

Getting started

  • Admins: This feature is available in open beta - no additional sign-up is required to use the feature. This migration can only be performed by super admins. Visit the Help Center to learn more about migrating files from a OneDrive account.
  • End users: There is no end user action required.

Rollout pace

Availability

Available to Google Workspace 
  • Business Starter, Standard, Plus
  • Enterprise Standard, Plus
  • Education Fundamentals, Standard, Plus, the Teaching and Learning Upgrade
  • Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus
  • Nonprofits

Resources


New data retention policy for Google Ads

Starting November 13th, Google Ads will be implementing a new data retention policy. All account data, including performance metrics, billing information, and historical reports, will now be retained for a period of 11 years.

This means that when querying the Google Ads API using either GoogleAds.Search or GoogleAds.SearchStream you will only be able to retrieve data up to 11 years before the date of your API request and data before that will not be returned.

Required actions

If you need historical data for more than 11 years ago, we recommend you retrieve it and store it before November 13th, 2024.

Otherwise, no action is required on your end. This update will be applied automatically to your account and GoogleAds.Search and GoogleAds.SearchStream continue to work as usual.

However, be aware that you may notice differences in your reporting due to different values being returned.

If you have any questions or concerns, please don't hesitate to contact us via the forum.

Using Chrome’s accessibility APIs to find security bugs

Chrome’s user interface (UI) code is complex, and sometimes has bugs.

Are those bugs security bugs? Specifically, if a user’s clicks and actions result in memory corruption, is that something that an attacker can exploit to harm that user?

Our security severity guidelines say “yes, sometimes.” For example, an attacker could very likely convince a user to click an autofill prompt, but it will be much harder to convince the user to step through a whole flow of different dialogs.

Even if these bugs aren’t the most easily exploitable, it takes a great deal of time for our security shepherds to make these determinations. User interface bugs are often flakey (that is, not reliably reproducible). Also, even if these bugs aren’t necessarily deemed to be exploitable, they may still be annoying crashes which bother the user.

It would be great if we could find these bugs automatically.

If only the whole tree of Chrome UI controls were exposed, somehow, such that we could enumerate and interact with each UI control automatically.

Aha! Chrome exposes all the UI controls to assistive technology. Chrome goes to great lengths to ensure its entire UI is exposed to screen readers, braille devices and other such assistive tech. This tree of controls includes all the toolbars, menus, and the structure of the page itself. This structural definition of the browser user interface is already sometimes used in other contexts, for example by some password managers, demonstrating that investing in accessibility has benefits for all users. We’re now taking that investment and leveraging it to find security bugs, too.

Specifically, we’re now “fuzzing” that accessibility tree - that is, interacting with the different UI controls semi-randomly to see if we can make things crash. This technique has a long pedigree.

Screen reader technology is a bit different on each platform, but on Linux the tree can be explored using Accerciser.

Screenshot of Accerciser showing the tree of UI controls in Chrome

All we have to do is explore the same tree of controls with a fuzzer. How hard can it be?

“We do this not because it is easy, but because we thought it would be easy” - Anon.

Actually we never thought this would be easy, and a few different bits of tech have had to fall into place to make this possible. Specifically,

  • There are lots of combinations of ways to interact with Chrome. Truly randomly clicking on UI controls probably won’t find bugs - we would like to leverage coverage-guided fuzzing to help the fuzzer select combinations of controls that seem to reach into new code within Chrome.
  • We need any such bugs to be genuine. We therefore need to fuzz the actual Chrome UI, or something very similar, rather than exercising parts of the code in an unrealistic unit-test-like context. That’s where our InProcessFuzzer framework comes into play - it runs fuzz cases within a Chrome browser_test; essentially a real version of Chrome.
  • But such browser_tests have a high startup cost. We need to amortize that cost over thousands of test cases by running a batch of them within each browser invocation. Centipede is designed to do that.
  • But each test case won’t be idempotent. Within a given invocation of the browser, the UI state may be successively modified by each test case. We intend to add concatenation to centipede to resolve this.
  • Chrome is a noisy environment with lots of timers, which may well confuse coverage-guided fuzzers. Gathering coverage for such a large binary is slow in itself. So, we don’t know if coverage-guided fuzzing will successfully explore the UI paths here.

All of these concerns are common to the other fuzzers which run in the browser_test context, most notably our new IPC fuzzer (blog posts to follow). But the UI fuzzer presented some specific challenges.

Finding UI bugs is only useful if they’re actionable. Ideally, that means:

  • Our fuzzing infrastructure gives a thorough set of diagnostics.
  • It can bisect to find when the bug was introduced and when it was fixed.
  • It can minimize complex test cases into the smallest possible reproducer.
  • The test case is descriptive and says which UI controls were used, so a human may be able to reproduce it.

These requirements together mean that the test cases should be stable across each Chrome version - if a given test case reproduces a bug with Chrome 125, hopefully it will do so in Chrome 124 and Chrome 126 (assuming the bug is present in both). Yet this is tricky, since Chrome UI controls are deeply nested and often anonymous.

Initially, the fuzzer picked controls simply based on their ordinal at each level of the tree (for instance “control 3 nested in control 5 nested in control 0”) but such test cases are unlikely to be stable as the Chrome UI evolves. Instead, we settled on an approach where the controls are named, when possible, and otherwise identified by a combination of role and ordinal. This yields test cases like this:

action { path_to_control { named { name: "Test - Chromium" } } path_to_control { anonymous { role: "panel" } } path_to_control { anonymous { role: "panel" } } path_to_control { anonymous { role: "panel" } } path_to_control { named { name: "Bookmarks" } } take_action { action_id: 12 } }

Fuzzers are unlikely to stumble across these control names by chance, even with the instrumentation applied to string comparisons. In fact, this by-name approach turned out to be only 20% as effective as picking controls by ordinal. To resolve this we added a custom mutator which is smart enough to put in place control names and roles which are known to exist. We randomly use this mutator or the standard libprotobuf-mutator in order to get the best of both worlds. This approach has proven to be about 80% as quick as the original ordinal-based mutator, while providing stable test cases.

Chart of code coverage achieved by minutes fuzzing with different strategies

So, does any of this work?

We don’t know yet! - and you can follow along as we find out. The fuzzer found a couple of potential bugs (currently access restricted) in the accessibility code itself but hasn’t yet explored far enough to discover bugs in Chrome’s fundamental UI. But, at the time of writing, this has only been running on our ClusterFuzz infrastructure for a few hours, and isn’t yet working on our coverage dashboard. If you’d like to follow along, keep an eye on our coverage dashboard as it expands to cover UI code.

Easily find and connect to featured partner apps from the Google Workspace Marketplace

What’s changing 

We’re adding a new category within the Google Workspace Marketplace: Featured partner apps. Here, you can quickly find and install the most popular Google Workspace apps.


Getting started