Monthly Archives: July 2019

Chrome for Android Update

Hi, everyone! We've just released Chrome 76 (76.0.3809.89) for Android: it'll become available on Google Play over the next few weeks.

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 76 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 76.0.3809.87 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 76.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 43 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$10000][977462] High CVE-2019-5850: Use-after-free in offline page fetcher. Reported by Brendon Tiszka on 2019-06-21
[$6000][956947] High CVE-2019-5860: Use-after-free in PDFium. Reported by Anonymous on 2019-04-26
[$3000][976627] High CVE-2019-5853: Memory corruption in regexp length check. Reported by yngwei(@yngweijw) of IIE Varas and sakura(@eternalsakura13) of Tecent Xuanwu Lab on 2019-06-19
[$3000][977107] High CVE-2019-5851: Use-after-poison in offline audio context. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2019-06-20
[$TBD][959438] High CVE-2019-5859: res: URIs can load alternative browsers. Reported by James Lee (@Windowsrcer) of Kryptos Logic on 2019-05-03
[$5000][964245] Medium CVE-2019-5856: Insufficient checks on filesystem: URI permissions. Reported by Yongke Wang of Tencent's Xuanwu Lab ( on 2019-05-17
[$N/A][943494] Medium CVE-2019-5863: Use-after-free in WebUSB on Windows. Reported by Yuxiang Li (@Xbalien29) of Tencent Security Platform Department on 2019-03-19
[$N/A][964872] Medium CVE-2019-5855: Integer overflow in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-20
[$TBD][973103] Medium CVE-2019-5865: Site isolation bypass from compromised renderer. Reported by Ivan Fratric of Google Project Zero on 2019-06-11
[$500][960209] Low CVE-2019-5858: Insufficient filtering of Open URL service parameters. Reported by evi1m0 of Bilibili Security Team on 2019-05-07
[$500][936900] Low CVE-2019-5864: Insufficient port filtering in CORS for extensions. Reported by Devin Grindle on 2019-02-28
[$TBD][946260] Low CVE-2019-5862: AppCache not robust to compromised renderers. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-26
[$TBD][951525] Low CVE-2019-5861: Click location incorrectly checked. Reported by Robin Linus ( ) on 2019-04-10
[$N/A][961237] Low CVE-2019-5857: Comparison of -0 and null yields crash. Reported by cloudfuzzer on 2019-05-09
[$N/A][966263] Low CVE-2019-5854: Integer overflow in PDFium text rendering. Reported by Zhen Zhou of NSFOCUS Security Team on 2019-05-23
[$TBD][976713] Low CVE-2019-5852: Object leak of utility functions. Reported by David Erceg on 2019-06-19

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

  • [988889] Various fixes from internal audits, fuzzing and other initiatives

Many of our security bugs are detected using AddressSanitizerMemorySanitizerUndefinedBehaviorSanitizerControl Flow IntegritylibFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Thank you,
Abdul Syed

Chrome Fuzzer Program Update And How-To

TL;DR We increased the Chrome Fuzzer Program bonus from $500 to $1,000 as part of our recent update of reward amounts.

Chrome Fuzzer Program is a part of the Google Chrome Vulnerability Reward Program that lets security researchers run their fuzzers at scale on the ClusterFuzz infrastructure. It makes bug reporting fully automated, and the fuzzer authors get the same rewards as if they reported the bugs manually, plus an extra bonus ($1,000 as of now) on top of it for every new vulnerability.

We run fuzzers indefinitely, and some of the fuzzers contributed years ago are still finding security issues in ever changing Chrome code. This is a win-win for both sides, as security researchers do not have to spend time analyzing the crashes, and Chrome developers receive high quality bug reports automatically.

To learn more about the Chrome Fuzzer Program, let’s talk to Ned Williamson, who’s been a participant since 2017 and now works on the Google Security team.

Q: Hey Ned! It looks like you’ve received over $50,000 by participating in the Google Chrome Vulnerability Reward Program with your quic_stream_factory_fuzzer.

A: Yes, it’s true. I wrote a fuzzer for QUIC which helped me find and report two critical vulnerabilities, each worth $10,000. Because I knew my fuzzer worked well, I submitted it to the Chrome Fuzzer Program. Then, in the next few months, I received that reward three more times (plus a bonus), as the fuzzer caught several security regressions on ClusterFuzz soon after they happened.

Q: Have you intentionally focused on the areas that yield higher severity issues and bigger rewards?

A: Yes. While vulnerabilities in code that is more critical to user security yield larger reward amounts, I actually started by looking at lower severity bugs and incrementally began looking for more severe bugs until I could find critical ones. You can see this progression by looking at the bugs I reported manually as an external researcher.

Q: Would you suggest starting by looking for non-critical bugs?

A: I would say so. Security-critical code is generally better designed and more thoroughly audited, so it might be discouraging to start from there. Finding less critical security bugs and winning bounties is a good way to build confidence and stay motivated.

Q: Can you share an algorithm on how to find security bugs in Chrome?

A: Looking at previous and existing bug reports, even for non-security crashes, is a great way to tell which code is security-critical and potentially buggy. From there, if some code looks like it’s exposed to user inputs, I’d set up a fuzzing campaign against that component. After you gain experience you will not need to rely on existing reports to find new attack surface, which in turn helps you find places that have not been considered by previous researchers. This was the case for my QUIC fuzzer.

Q: How did you learn to write fuzzers?

A: I didn’t have any special knowledge about fuzzing before I started looking for vulnerabilities in Chrome. I followed the documentation in the repository and I still follow the same process today.

Q: Your fuzzer isn’t very simple compared to many other fuzzers. How did you get to that implementation?

A: The key insight in the QUIC fuzzer was realizing that the parts of the code that handled plaintext messages after decryption were prone to memory corruption. Typically, fuzzing does not perform well with encrypted inputs (it’s pretty hard to “randomly” generate a packet that can be successfully decrypted), so I extended the QUIC testing code to allow for testing with encryption disabled.

Q: Are there any other good examples of fuzz targets employing a similar logic?

A: Another example is pdf_formcalc_context_fuzzer that wraps the fuzzing input around with a valid hardcoded PDF file, therefore focusing fuzzing only on the XFA script part of it. As a researcher, you just need to choose what exactly you want to fuzz, and then understand how to execute that code properly. Looking at the unit tests is usually the easiest way to get such an understanding.

Useful links:

Happy fuzzing and bug hunting!

8 tips for a stress-free summer road trip

Growing up, I always looked forward to summer and the road trips I’d take with family and friends. It didn’t matter if we were trekking from Chicago to Florida or taking a scenic journey to camp at Boulder Lake in Wisconsin. We’d always make a summer jams soundtrack (on cassette), pack the car full of snacks, and stick our heads out the window to feel the cool breeze. 

These days, road trips feature my wife and son, as we explore all that California has to offer, but those old habits have remained the same.

For many people like myself, road trips will always will be quintessential part of summer. If you’re planning to hit the road for an adventure of your own, here are eight ways the Google Assistant can help you safely get things done when you’re behind the wheel (or in the back seat):

  1. Check the weather at your destination by saying “Hey Google, what’s the weather like in Yellowstone this weekend?”

  2. "Hey Google, how's traffic to downtown Charlotte?" will give you the quickest route to your destination.

  3. Give your friends an update on your arrival time by saying, “Hey Google, share my ETA with Ari.” 

  4. Stay in touch while you’re on the road by asking, “Hey Google, call Dad.” 

  5. “Hey Google, find the nearest gas station” will help you when you need to make a pit stop. Or ask your Assistant, “Hey Google, where’s the nearest coffee shop?” when you need to get your caffeine fix. 

  6. Avoid boredom with a podcast or audiobook while you're driving through remote locations. Just say, “Hey Google, play Planet Money.”

  7. Play, pause or skip through your favorite songs from services like YouTube Music, Pandora, and Spotify. 

  8. Send text messages with your voice so you can keep your eyes on the road. Just ask the Assistant, “Hey Google, send a text to Jake” or “Hey Google, read my messages.”

And it’s really easy to get started. You can access the Assistant in a variety of places, whether you’re using Google Maps for Android and iOS, Waze for Android, Android Auto, or through the new car accessory, Anker Roav Bolt. Later this year, we’re introducing the Assistant’s new driving mode, a voice-forward dashboard for Android that brings your most relevant activities—like navigation, messaging, calling, and media—front and center. 

Bonus tip: When you get home from your trip, you can always pull up specific pictures from your journey from Google Photos by asking the Assistant on your Smart Display. Give it a go by saying, “Hey Google, show me my pictures from Yosemite.”

Buckle up and and remember to take plenty of pictures of your trip!

Upgrade your drive with Android Auto

As you hit the road this summer, Android Auto is sporting a new look with features that make driving more simple, personal and helpful. So grab your sunglasses and fill up your tank—here’s what you can expect.

Come on, get app-y

With the new app launcher, you can find all your favorite apps with fewer taps. The bottom left button will open the app launcher, where you'll find the familiar app icons laid out with your most commonly used apps automatically featured in the top row. Just a couple of taps and you can dive into your favorite podcast, rock out to a new song or send a message to Mom.

App Launcher

Tap and talk for more

You'll notice several of the icons have the Google Assistant badge. By tapping the icon, your Assistant will tell you about your calendar, give you the weather report, read you the news or set a reminder for you.

Google Assistant Badge

Pick up where you left off 

Whether you’re jamming to the greatest hits or deep into an interesting podcast, Android Auto will automatically start playing where you left off. Make sure you check out the many auto-enabled media apps available in Google Play.


This is the fastest route, despite the usual traffic

Never get lost again with your favorite navigation app easily accessible on your display right when you connect Android Auto. Tap on a suggested location or use the Assistant to start navigating. And if you already have a route queued up on your phone, Android Auto will automatically populate the directions and begin routing you to your destination on your display.

Google Maps

Don’t miss a beat... or a turn

The new navigation bar sits at the bottom of your display, and allows you to manage multiple apps, more easily. So if you’re listening to music, you won’t miss your next turn; or if you’re following directions, you can still easily pause or skip a song. You can also jump straight to your app running in the background with one tap.

Navigation Bar

Missed calls and unread messages

On the bottom right corner, a new notification button houses all of your recent calls, messages and alerts. You can also keep in touch with friends and family, while keeping your eyes on the road. Just long press the mic button on the steering wheel, tap on the mic button on your display or say “Hey Google” to have the Google Assistant help make calls, send messages and read your notifications.

Notification Center

That new car smell

Android Auto is flexible and can morph itself to fit widescreen displays in cars that support it—giving you extra space for step-by-step navigation, media playback and ongoing call controls (dependent on vehicle support). Plus, the new Android Auto improves visibility with easier to read fonts as well as a new dark theme and colorful accents that match your car’s interior.


If your car has Android Auto support, you’ll start to see the new design over the next few weeks. These updates will not be reflected in Android Auto for your phone screen. We will be evolving the phone screen experience from Android Auto to the Assistant’s new driving mode in the future.

Stay tuned for this new update!

Students changing the world—this year’s Science Fair winners

When Google Science Fair launched last fall, we challenged students to channel their curiosity and ingenuity to invent, code or build a solution to a problem they’re passionate about. Thousands of students participated, and this weekend we welcomed our 24 finalists—from 14 countries around the world—to explore Google’s headquarters to reveal the winners.

These changemakers tackled issues across sustainability, healthcare, and accessibility. We saw impressive entries that used a variety of STEM disciplines—from using AI to help detect disease in plants to finding new ways to diagnose heart disease.

Ready to find out who the winners are?

  • Grand Prize: Fionn Ferreira—a West Cork, Ireland resident who wants to help save the oceans by extracting harmful microplastics from wastewater.
  • Virgin Galactic Pioneer Award: Celestine Wenardy— a student from Indonesia who set out to find affordable, non-invasive ways for members of her community to test their blood sugar levels
  • Scientific American Innovator Award: Tuan Dolmen—a Turkish science enthusiast who found a way to harness energy from tree vibrations.
  • National Geographic Explorer Award: Aman KA and AU Nachiketh—two young scientists from India who found an eco-friendly way to coagulate rubber.
  • Lego Education Builder Award: Daniel Kazanstev—a Russian student who wanted to find a better way to help those with impaired hearing communicate with the world around them.

We were joined by a panel of judges, including our partners: Lego Education, Scientific American, Virgin Galactic and National Geographic. Mariette DiChristina, Editor in Chief of Scientific American and the chief judge for this year’s competition praised Fionn for his “tenacity and dedication to solving an important environmental problem embodies the spirit of exploration.” A big thanks to Mariette and the other judges for lending their expertise across science and engineering to help us to find the next generation of problem solvers.

Behind every ambitious student are parents and teachers (hats off to you!) who cheer them on, and push them to keep learning. And to the students, you rock. We can’t wait to see what you do next.

Beta Channel Update for Desktop

The beta channel has been updated to 76.0.3809.87 for Windows, Mac, and Linux.

A full list of changes in this build is available in the log. Interested in switching release channels?  Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Abdul Syed
Google Chrome

Local Guides made me see my hometown in a whole new way

I’m a proud and lifelong New Yorker. I’ve seen and done a lot in New York City through all my years of living here, but one of the beauties of living here is that you’re always able to see and do something new. The possibilities are endless. 

With the help and recommendations of Google Local Guides, I had the opportunity to explore my city in a new way. Local Guides are the people who share reviews, photos and more on Google Maps to help you uncover the best parts of your city. Through the recommendations they’ve shared on what to eat, see and do, I discovered everything from the best bagels to the best free activity in town. 

Hands-down, my favorite part of this experience was checking out the best view of Manhattan at Cantor Roof Garden Bar on the roof of the Metropolitan Museum of Art. Local Guides recommended this for an awesome view that isn’t swarming with tourists. There’s nothing like taking in the New York City skyline with an ice-cold drink in hand, surrounded by a beautiful garden and sculptures.

I also got to check out some unique, quirky and decidedly non-touristy souvenirs at Fishs Eddy, where local artists are behind many of the designs. And of course, I ate some of the most delicious food New York City has to offer, including the classic matzo ball soup from Russ & Daughters Cafe and an unlimited table-side service of pasta at Becco in Times Square. 

It was refreshing to see my city with a new perspective. I assumed I'd seen it all, but I learned I needed to open my mind to new experiences. Being a tourist in my own city gave me a new appreciation for the things I walk past every day. If you want to see all the spots I visited while taking in New York City, you can watch the video and follow this Google Maps list full of Local Guides’ recommendations. That way you can experience New York like a local, even if you’re not one.

Robust Neural Machine Translation

In recent years, neural machine translation (NMT) using Transformer models has experienced tremendous success. Based on deep neural networks, NMT models are usually trained end-to-end on very large parallel corpora (input/output text pairs) in an entirely data-driven fashion and without the need to impose explicit rules of language.

Despite this huge success, NMT models can be sensitive to minor perturbations of the input, which can manifest as a variety of different errors, such as under-translation, over-translation or mistranslation. For example, given a German sentence, the state-of-the-art NMT model, Transformer, will yield a correct translation.

“Der Sprecher des Untersuchungsausschusses hat angekündigt, vor Gericht zu ziehen, falls sich die geladenen Zeugen weiterhin weigern sollten, eine Aussage zu machen.”

(Machine translation to English: “The spokesman of the Committee of Inquiry has announced that if the witnesses summoned continue to refuse to testify, he will be brought to court.”),

But, when we apply a subtle change to the input sentence, say from geladenen to the synonym vorgeladenen, the translation becomes very different (and in this case, incorrect):

“Der Sprecher des Untersuchungsausschusses hat angekündigt, vor Gericht zu ziehen, falls sich die vorgeladenen Zeugen weiterhin weigern sollten, eine Aussage zu machen.”

(Machine translation to English: “The investigative committee has announced that he will be brought to justice if the witnesses who have been invited continue to refuse to testify.”).

This lack of robustness in NMT models prevents many commercial systems from being applicable to tasks that cannot tolerate this level of instability. Therefore, learning robust translation models is not just desirable, but is often required in many scenarios. Yet, while the robustness of neural networks has been extensively studied in the computer vision community, only a few prior studies on learning robust NMT models can be found in literature.

In “Robust Neural Machine Translation with Doubly Adversarial Inputs” (to appear at ACL 2019), we propose an approach that uses generated adversarial examples to improve the stability of machine translation models against small perturbations in the input. We learn a robust NMT model to directly overcome adversarial examples generated with knowledge of the model and with the intent of distorting the model predictions. We show that this approach improves the performance of the NMT model on standard benchmarks.

Training a Model with AdvGen
An ideal NMT model would generate similar translations for separate inputs that exhibit small differences. The idea behind our approach is to perturb a translation model with adversarial inputs in the hope of improving the model’s robustness. It does this using an algorithm called Adversarial Generation (AdvGen), which generates plausible adversarial examples for perturbing the model and then feeds them back into the model for defensive training. While this method is inspired by the idea of generative adversarial networks (GANs), it does not rely on a discriminator network, but simply applies the adversarial example in training, effectively diversifying and extending the training set.

The first step is to perturb the model using AdvGen. We start by using Transformer to calculate the translation loss based on a source input sentence, a target input sentence and a target output sentence. Then AdvGen randomly selects some words in the source sentence, assuming a uniform distribution. Each word has an associated list of similar words, i.e., candidates that can be used for substitution, from which AdvGen selects the word that is most likely to introduce errors in Transformer output. Then, this generated adversarial sentence is fed back into Transformer, initiating the defense stage.
First, the Transformer model is applied to an input sentence (lower left) and, in conjunction with the target output sentence (above right) and target input sentence (middle right; beginning with the placeholder “<sos>”), the translation loss is calculated. The AdvGen function then takes the source sentence, word selection distribution, word candidates, and the translation loss as inputs to construct an adversarial source example.
During the defend stage, the adversarial sentence is fed back into the Transformer model. Again the translation loss is calculated, but this time using the adversarial source input. Using the same method as above, AdvGen uses the target input sentence, word replacement candidates, the word selection distribution calculated by the attention matrix, and the translation loss to construct an adversarial target example.
In the defense stage, the adversarial source example serves as input to the Transformer model, and the translation loss is calculated. AdvGen then uses the same method as above to generate an adversarial target example from the target input.
Finally, the adversarial sentence is fed back into Transformer and the robustness loss using the adversarial source example, the adversarial target input example and the target sentence is calculated. If the perturbation led to a significant loss, the loss is minimized so that when the model is confronted with similar perturbations, it will not repeat the same mistake. On the other hand, if the perturbation leads to a low loss, nothing happens, indicating that the model can already handle this perturbation.

Model Performance
We demonstrate the effectiveness of our approach by applying it to the standard Chinese-English and English-German translation benchmarks. We observed a notable improvement of 2.8 and 1.6 BLEU points, respectively, compared to the competitive Transformer model, achieving a new state-of-the-art performance.
Comparison of Transformer model (Vaswani et al., 2017) on standard benchmarks.
We then evaluate our model on a noisy dataset, generated using a procedure similar to that described for AdvGen. We take an input clean dataset, such as that used on standard translation benchmarks, and randomly select words for similar word substitution. We find that our model exhibits improved robustness compared to other recent models.
Comparison of Transformer, Miyao et al. and Cheng et al. on artificial noisy inputs.
These results show that our method is able to overcome small perturbations in the input sentence and improve the generalization performance. It outperforms competitive translation models and achieves state-of-the-art translation performance on standard benchmarks. We hope our translation model will serve as a robust building block for improving many downstream tasks, especially when those are sensitive or intolerant to imperfect translation input.

This research was conducted by Yong Cheng, Lu Jiang and Wolfgang Macherey. Additional thanks go to our leadership Andrew Moore and Julia (Wenli) Zhu‎.

Source: Google AI Blog

Limiting access to less secure apps to protect G Suite accounts

What’s changing

On October 30, 2019, we’ll begin removing the setting to “Enforce access to less secure apps for all users” from the Google Admin console. This setting should disappear from your Admin console by the end of year.

If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead. You’ll no longer have the option to enforce access to LSAs at the domain level.

Following this change, if you “Allow users to manage their access to less secure apps,” users will still have the option to access LSAs, provided the “Less secure app access” setting is enabled at the individual user account level. To minimize disruption in domains where we’ve automatically changed the setting from “Enforce access” to “Allow users to manage their access,” this account-level setting will be on by default at the time of the change for all active users of LSAs.

If a user has previously opted to let LSAs access their account, but no LSAs have connected to their account in some time, we’ll turn this account-level setting off for them. They can manually reenable this setting at any time at (provided their admin allows them to do so).

Who’s impacted

Admins and end users

Why it’s important

We’re making this change to protect your users. LSAs connect to Google accounts using only a username and password, which makes them vulnerable to hijacking. Whenever possible, users should connect to their accounts via OAuth, a more secure method. OAuth allows third-party apps to use Google account information without seeing a user’s password, and it gives admins security controls like the ability to whitelist certain apps and offer scope-based account access.

Visit the Help Center to learn more about managing OAuth-based access to connected apps.

How to get started

  • Admins: No action is required, but we recommend the following:
    • If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
    • Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
    • Review our list of alternatives to less secure apps.
    • Prepare your users and internal help desks for the change.
    • Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs. 
  • End users: Visit the Help Center to learn more about LSAs and your account.

Additional details

See below for FAQs.

What is a less secure app (LSA)?
A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking.

I have an app that cannot use OAuth; what do I do?
Choose the “Allow users to manage their access to less secure apps” option in the Admin console, and ensure that users who need to use the app enable the “Less secure app access” setting at We also recommend contacting the app’s developer and asking them to provide support for OAuth, as this is the more secure option.

Helpful links

Admin Help Center: Control access to less secure apps
Admin Help Center: Whitelist connected apps
End User Help Center: Less secure apps & your Google Account
Developer Guide: Using OAuth 2.0 to Access Google APIs


Rollout details
  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on October 30, 2019
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on October 30, 2019

G Suite editions
  • Available to all G Suite editions

On/off by default?
  • This setting will be removed for ALL domains by default.
    • If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead.
    • If the “Allow users to manage their access to less secure apps” setting is selected for your domain when this change takes place, it will remain selected.
    • If the “Disable access to less secure apps for all users” setting is selected for your domain when this change takes place, it will remain selected.

Stay up to date with G Suite launches