Building security into the redesigned Chrome downloads experience

Posted by Jasika Bawa, Lily Chen, and Daniel Rubery, Chrome Security

Last year, we introduced a redesign of the Chrome downloads experience on desktop to make it easier for users to interact with recent downloads. At the time, we mentioned that the additional space and more flexible UI of the new Chrome downloads experience would give us new opportunities to make sure users stay safe when downloading files.

Adding context and consistency to download warnings

The redesigned Chrome downloads experience gives us the opportunity to provide even more context when Chrome protects a user from a potentially malicious file. Taking advantage of the additional space available in the new downloads UI, we have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions.

Our legacy, space-constrained warning vs. our redesigned one

We also made download warnings more understandable by introducing a two-tier download warning taxonomy based on AI-powered malware verdicts from Google Safe Browsing. These are:

  1. Suspicious files (lower confidence verdict, unknown risk of user harm)
  2. Dangerous files (high confidence verdict, high risk of user harm)

These two tiers of warnings are distinguished by iconography, color, and text, to make it easy for users to quickly and confidently make the best choice for themselves based on the nature of the danger and Safe Browsing's level of certainty. Overall, these improvements in clarity and consistency have resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads.

Differentiation between suspicious and dangerous warnings

Protecting more downloads with automatic deep scans

Users who have opted-in to the Enhanced Protection mode of Safe Browsing in Chrome are prompted to send the contents of suspicious files to Safe Browsing for deep scanning before opening the file. Suspicious files are a small fraction of overall downloads, and file contents are only scanned for security purposes and are deleted shortly after a verdict is returned.

We've found these additional scans to have been extraordinarily successful – they help catch brand new malware that Safe Browsing has not seen before and dangerous files hosted on brand new sites. In fact, files sent for deep scanning are over 50x more likely to be flagged as malware than downloads in the aggregate.

Since Enhanced Protection users have already agreed to send a small fraction of their downloads to Safe Browsing for security purposes in order to benefit from additional protections, we recently moved towards automatic deep scans for these users rather than prompting each time. This will protect users from risky downloads while reducing user friction.

An automatic deep scan resulting in a warning

Staying ahead of attackers who hide in encrypted archives

Not all deep scans can be conducted automatically. A current trend in cookie theft malware distribution is packaging malicious software in an encrypted archive – a .zip, .7z, or .rar file, protected by a password – which hides file contents from Safe Browsing and other antivirus detection scans. In order to combat this evasion technique, we have introduced two protection mechanisms depending on the mode of Safe Browsing selected by the user in Chrome.

Attackers often make the passwords to encrypted archives available in places like the page from which the file was downloaded, or in the download file name. For Enhanced Protection users, downloads of suspicious encrypted archives will now prompt the user to enter the file's password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed. Uploaded files and file passwords are deleted a short time after they're scanned, and all collected data is only used by Safe Browsing to provide better download protections.

Enter a file password to send an encrypted file for a malware scan

For those who use Standard Protection mode which is the default in Chrome, we still wanted to be able to provide some level of protection. In Standard Protection mode, downloading a suspicious encrypted archive will also trigger a prompt to enter the file's password, but in this case, both the file and the password stay on the local device and only the metadata of the archive contents are checked with Safe Browsing. As such, in this mode, users are still protected as long as Safe Browsing had previously seen and categorized the malware.

The Chrome Security team works closely with Safe Browsing, Google's Threat Analysis Group, and security researchers from around the world to gain insights into the techniques attackers are using. Using these insights, we are constantly adapting our product strategy to stay ahead of attackers and to keep users safe while downloading files in Chrome. We look forward to sharing more in the future!

Introducing Collections, a new on-device surface for your content

Posted by Cullen Rotroff, Product Manager, Google Play

Over the past year, the Play Store has evolved into a dynamic discovery engine for your apps and their amazing content. We continue to invest in features that connect the best app experiences to the people who love them. At this year’s Google I/O, we teased an exciting new on-device surface that expands the discovery of your content beyond the Play Store, powered by Engage SDK.

Today, we’re excited to announce that this brand-new surface is ready for the spotlight. Introducing Collections: a seamless way to showcase personalized content and guide users on continuous journeys that lead directly into your app.

Expand your app's reach beyond the Play Store

Collections is a full-screen immersive space that automatically organizes the best and most relevant content from installed apps into intent-oriented spaces, such as Watch, Listen, Shop, or Social. From there, users deep-link directly into your app to complete their journey, whether that’s to enjoy your content or complete a purchase.

You can use this surface to highlight your most important content, including personalized recommendations and promotions. If a user has your app installed but isn’t logged in, Collections can encourage the user to sign in to see your most personalized content. Plus, if your app is integrated but not installed, Collections can recommend to users to install it.

Users enter Collections through a Play Store widget. Without needing to install a new app, users can simply preview the experience in the Play Store and then add the widget to their home screen.

Collections keep users engaged with your content
Collections is a full-screen immersive space that automatically organizes 
the best and most relevant content from installed apps

Engage users with personalized and customizable messaging

There are multiple ways to use Collections to engage users.

Continuation journeys are the anchor of this experience and appear at the top of most spaces to help users resume their journeys with a tap. For example:

    • In Shop, users can pick up an abandoned shopping cart.
    • In Listen, users can jump back into a recently played album, playlist, podcast, audiobook, or live radio station.
    • And in Food, users can pick up an open cart or reorder a recent meal.

We also understand that developers know their users best, so to give you more control over the Collections experience, you can create up-to-five recommendation clusters. These clusters can be personalized based on your user’s behavior in your app and organized by theme, like new releases, price drops, or the user’s favorite topics. For users who aren’t logged in to your app, you can provide content with broad appeal to spur a new session.

Engage users through continuation journeys (like Continue listening) or with recommendation clusters (like Today's top hits)
Engage users through continuation journeys (like "Continue listening") or 
with recommendation clusters (like "Today's top hits")

Finally, Collections spotlights hero content in its featured cluster, a larger, more premium UI template. You can display one personalized featured card per user and update it dynamically throughout the day. The featured cluster is best reserved for top personalized promotions and deals, for example:

    • Promote memberships and special business models, like a loyalty program.
    • Highlight your best personalized deals.
    • Announce new products and app features.

Collections’ featured cluster spotlights your hero content
Collections’ featured cluster spotlights your hero content

Get started with Engage SDK

To start using Collections, you'll need to integrate with Engage SDK, a client-side integration that leverages on-device APIs and takes most developers about a week to complete. Designed to be simple and lightweight, the integration adds less than 50 KB to the average app APK.

Engage SDK enables your apps to push personalized app content to Collections. There is no need to start and maintain a new content strategy as the integration is designed for the personalized content from your app’s front page. Since you already have the content strategy, metadata, and personalization required, all you’ll need to do is publish it with Engage SDK.

Today, we’re inviting all apps with users in the United States and content in our supported categories – Watch, Listen, Read, Shop, Food, Social, Travel & Events, Health & Fitness, Dating – to join. Over 35 top apps have already integrated with Engage SDK, including Adidas, Amazon Prime Video, Audible, Best Buy, iHeartRadio, Nextdoor, Spotify, Shopify, and Walmart.

Visit our Engage SDK integration guide to see if your app meets the eligibility and on requirements, and express your interest.



How useful did you find this blog post?

Adding Data Loss Prevention (DLP) to form content in Google Forms

What’s changing

We’re continually investing in data protection capabilities for Google Forms. We’ve already enabled data loss prevention (DLP) for Google Drive policies that apply to files submitted in external Forms, including Forms from external organizations. To expand on this, today we’re announcing that DLP policies for form content in Google Forms is now generally available. 


With DLP, Forms with sensitive content can be blocked from being viewed or responded to by external individuals. Based on DLP rules configured by the admin, this feature checks form content including questions, form title and description and answer options provided in the form, and prevents sensitive content from being shared externally; it does not check form responses provided by end users that are submitted to external forms. 

DLP in Forms
This screenshot of a Google Form includes mentions of “Project X”. DLP rules are configured to detect and prevent sharing of Forms with responders outside the organization with any mentions of “Project X”, the sensitive content in this form.


Additional details 

If you do not want DLP rules applied to users in your domain, you can exclude certain groups or organizational units from DLP checks. You can also exclude DLP rules for forms by using nested condition operators in DLP for Drive rules. To do so, add a ‘AND NOT’ conditional operator with a custom detector for “vnd\.google\-apps\.form” as a regex. In scenarios where you only want to apply DLP for forms, add a custom detector for “vnd\.google\-apps\.form” as a regex. Visit this Help Center to learn more about using Workspace DLP to prevent data loss. 


Getting started 

  • Admins: 
    • Data loss prevention rules scoped to Drive files defined for your domain will be applied automatically to Forms.
    • If you are not using DLP for Google Drive, you can create DLP rules at the domain, OU, or group level in the Admin console under Security > Data protection. You can apply block, warn or audit actions, consistent with DLP for Drive. If you apply the block action, users external to the domain will not be able to view or respond to forms with sensitive content. 
    • Visit the Help Center to learn more about turning data loss prevention in Google Forms on for your organization. 
  • End users: End users can respond to forms as usual to forms that do not violate DLP rules, but if a form violates Drive DLP rules for their domain, form editors may see warnings and form responders external to the domain may be blocked from viewing or responding to the form. 

Rollout pace 

Availability 

Available for Google Workspace: 
  • Enterprise Standard, Plus 
  • Enterprise Essentials Plus 
  • Education Fundamentals, Standard, Plus, the Teaching & Learning Upgrade 
  • Frontline Standard 
  • Cloud Identity Premium 

Resources 

Chrome for Android Update

  Hi, everyone! We've just released Chrome 127 (127.0.6533.64) for Android . It'll become available on Google Play over the next few days. 

This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.

Android releases contain the same security fixes as their corresponding Desktop (Windows & Mac: 127.0.6533.72/73 and Linux:127.0.6533.72) unless otherwise noted.


Krishna Govind
Google Chrome

Stable Channel Update for Desktop

The Stable channel has been updated to 127.0.6533.72/73 for Windows, Mac and 127.0.6533.72 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 24 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.


[$11000][349198731] High CVE-2024-6988: Use after free in Downloads. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25

[$8000][349342289] High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on 2024-06-25

[TBD][346618785] High CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz on 2024-06-12

[TBD][349653220] High CVE-2024-6992: Out of bounds memory access in ANGLE. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-06-27

[TBD][349903568] High CVE-2024-6993: Inappropriate implementation in Canvas. Reported by Anonymous on 2024-06-30

[$8000][339686368] Medium CVE-2024-6994: Heap buffer overflow in Layout. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2024-05-10

[$6000][343938078] Medium CVE-2024-6995: Inappropriate implementation in Fullscreen. Reported by Alesandro Ortiz on 2024-06-01

[$5000][333708039] Medium CVE-2024-6996: Race in Frames. Reported by Louis Jannett (Ruhr University Bochum) on 2024-04-10

[$3000][325293263] Medium CVE-2024-6997: Use after free in Tabs. Reported by Sven Dysthe (@svn-dys) on 2024-02-15

[$2000][340098902] Medium CVE-2024-6998: Use after free in User Education. Reported by Sven Dysthe (@svn-dys) on 2024-05-13

[$2000][340893685] Medium CVE-2024-6999: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-15

[$500][339877158] Medium CVE-2024-7000: Use after free in CSS. Reported by Anonymous on 2024-05-11

[TBD][347509736] Medium CVE-2024-7001: Inappropriate implementation in HTML. Reported by Jake Archibald on 2024-06-17

[$2000][338233148] Low CVE-2024-7003: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-01

[TBD][40063014] Low CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing. Reported by Anonymous on 2023-02-10

[TBD][40068800] Low CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing. Reported by Umar Farooq  on 2023-08-04


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

  • [354788491] Various fixes from internal audits, fuzzing and other initiatives


Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.


Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Daniel Yip
Google Chrome