Long Term Support Channel Update

LTS-96 has been updated in the LTS channel to 96.0.4664.207 (Platform Version: 14268.82.0) for most ChromeOS devices. Want to know more about Long-term Support? Click here



This update contains multiple Security fixes, including:

1311701  High  CVE-2022-1312 Security: UAF in DumpDatabaseHandler

1283050  High  CVE-2022-1308 Heap-use-after-free in RenderViewHostImpl::ActivatePrerenderedPage

1310717  High  CVE-2022-1311 Use-after-Free on crostini::CrostiniExportImport::OpenFileDialog

1292261  High  CVE-2022-1125 Security: Heap-use-after-free in BrowserList::AddBrowser

1268541  Medium  CVE-2022-1139 Security: Another Cross-Origin Response Size Leak Via BackgroundFetch

1315901  High  CVE-2022-1364 Security: [day 0] JIT optimization issue



Giuliana Pritchard

Google Chrome OS

Chrome Dev for Android Update

Hi everyone! We've just released Chrome Dev 103 (103.0.5028.0) for Android. It's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

Beta Channel Update for Desktop

 The Chrome team is excited to announce the promotion of Chrome 102 to the Beta channel for Windows, Mac and Linux. Chrome 102.0.5005.27 contains our usual under-the-hood performance and stability tweaks, but there are also some cool new features to explore - please head to the Chromium blog to learn more!



A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issues, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.



Srinivas SistaGoogle Chrome

Dev Channel Update for Desktop

 The Dev channel has been updated to 103.0.5028.0 for Windows , Linux, and Mac.

A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Google Chrome

Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 102 (102.0.5005.26) for Android. It's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Erhu Akpobaro
Google Chrome

This YouTuber wants to bring financial literacy to Africans

Nicolette Mashile wanted to find a more fulfilling career. So in 2016, she resigned from her job as a Client Service Director at a Johannesburg advertising agency. But quitting meant Nicolette was forced to stick to a stricter budget.

She began sharing her money-saving tips on YouTube and it wasn’t long before she noticed her advice resonated with African viewers. Eventually, this South African content creator built a significant following for her candid take on money management, and was invited to join the #YouTubeBlackVoices Creator Class of 2021. This in turn helped herFinancial Bunny YouTube channel garner almost 9 million views.

“I was very frank about money management, how to effectively budget and how to plan your spending. When I saw my YouTube following growing, I knew this personal finance advice was making a real impact and I committed to improving financial literacy in South Africa,” Nicolette says.

This meant finding creative ways to make financial literacy more inclusive and accessible while also removing the stigma attached to discussing personal finance. Nicolette spun her YouTube success into two books — one for adults titled “What’s Your Move,” and another for children, “Coco the Money Bunny.”

“When I created the books, I had to develop a new website so it was important to identify our different customer types and implement search engine optimization. I needed to do research to understand the target customers and develop the website to meet their needs and Google Ads was a promotional channel I experimented with,” Nicolette added.

But it was the launch of her Save or Spend board game and subsequent app that sparked her shift towards technology.

“I’d successfully leveraged digital media to share financial content, so naturally it made sense to use the power of tech to design an interactive app that could simplify money management in a fun and engaging way,” she says.

Using gamification helped to take away the seriousness around money while also addressing the lack of financial education in South Africa. In a digital era where most Africans own a smartphone rather than a laptop, Nicolette knew a free app would be an accessible tool to teach people about money. Her app has proven popular due in large part to the massive following she has built online since launching her YouTube channel back in 2017.

Nicolette’s also grown her business to include consultancy and coaching, and she relies a lot on Google Meets for some of her sessions.

“My consultancy work with brands and corporate individuals means I use video calling quite often and for this I use Google Meets. I do one-on-one coaching with multiple clients per month and it’s super simple to just send a link and jump on a call because people can log in from anywhere,” she says.

Ultimately, Nicolette hopes to continue empowering her followers by arming them with the tools and skills they need to better manage their money. “I want to keep encouraging South Africans to have the difficult discussions people often avoid around personal finance.”

Fifty-eight percent of Africa’s entrepreneurs are women. That’s why we’re empowering them with the platform and tools to grow their businesses. #LookMeUp is a call for all to #BreakTheBias. Find out more here.

How can App Engine users take advantage of Cloud Functions?

Posted by Wesley Chun (@wescpy), Developer Advocate, Google Cloud

Introduction

Recently, we discussed containerizing App Engine apps for Cloud Run, with or without Docker. But what about Cloud Functions… can App Engine users take advantage of that platform somehow? Back in the day, App Engine was always the right decision, because it was the only option. With Cloud Functions and Cloud Run joining in the serverless product suite, that's no longer the case.

Back when App Engine was the only choice, it was selected to host small, single-function apps. Yes, when it was the only option. Other developers have created huge monolithic apps for App Engine as well… because it was also the only option. Fast forward to today where code follows more service-oriented or event-driven architectures. Small apps can be moved to Cloud Functions to simplify the code and deployments while large apps could be split into smaller components, each running on Cloud Functions.

Refactoring App Engine apps for Cloud Functions

Small, single-function apps can be seen as a microservice, an API endpoint "that does something," or serve some utility likely called as a result of some event in a larger multi-tiered application, say to update a database row or send a customer email message. App Engine apps require some kind web framework and routing mechanism while Cloud Function equivalents can be freed from much of those requirements. Refactoring these types of App Engine apps for Cloud Functions will like require less overhead, helps ease maintenance, and allow for common components to be shared across applications.

Large, monolithic applications are often made up of multiple pieces of functionality bundled together in one big package, such as requisitioning a new piece of equipment, opening a customer order, authenticating users, processing payments, performing administrative tasks, and so on. By breaking this monolith up into multiple microservices into individual functions, each component can then be reused in other apps, maintenance is eased because software bugs will identify code closer to their root origins, and developers won't step on each others' toes.

Migration to Cloud Functions

In this latest episode of Serverless Migration Station, a Serverless Expeditions mini-series focused on modernizing serverless apps, we take a closer look at this product crossover, covering how to migrate App Engine code to Cloud Functions. There are several steps you need to take to prepare your code for Cloud Functions:

  • Divest from legacy App Engine "bundled services," e.g., Datastore, Taskqueue, Memcache, Blobstore, etc.
  • Cloud Functions supports modern runtimes; upgrade to Python 3, Java 11, or PHP 7
  • If your app is a monolith, break it up into multiple independent functions. (You can also keep a monolith together and containerize it for Cloud Run as an alternative.)
  • Make appropriate application updates to support Cloud Functions

    The first three bullets are outside the scope of this video and its codelab, so we'll focus on the last one. The changes needed for your app include the following:

    1. Remove unneeded and/or unsupported configuration
    2. Remove use of the web framework and supporting routing code
    3. For each of your functions, assign an appropriate name and install the request object it will receive when it is called.

    Regarding the last point, note that you can have multiple "endpoints" coming into a single function which processes the request path, calling other functions to handle those routes. If you have many functions in your app, separate functions for every endpoint becomes unwieldy; if large enough, your app may be more suited for Cloud Run. The sample app in this video and corresponding code sample only has one function, so having a single endpoint for that function works perfectly fine here.

    This migration series focuses on our earliest users, starting with Python 2. Regarding the first point, the app.yaml file is deleted. Next, almost all Flask resources are removed except for the template renderer (the app still needs to output the same HTML as the original App Engine app). All app routes are removed, and there's no instantiation of the Flask app object. Finally for the last step, the main function is renamed more appropriately to visitme() along with a request object parameter.

    This "migration module" starts with the (Python 3 version of the) Module 2 sample app, applies the steps above, and arrives at the migrated Module 11 app. Implementing those required changes is illustrated by this code "diff:"

    Migration of sample app to Cloud Functions

    Next steps

    If you're interested in trying this migration on your own, feel free to try the corresponding codelab which leads you step-by-step through this exercise and use the video for additional guidance.

    All migration modules, their videos (when published), codelab tutorials, START and FINISH code, etc., can be found in the migration repo. We hope to also one day cover other legacy runtimes like Java 8 as well as content for the next-generation Cloud Functions service, so stay tuned. If you're curious whether it's possible to write apps that can run on App Engine, Cloud Functions, or Cloud Run with no code changes at all, the answer is yes. Hope this content is useful for your consideration when modernizing your own serverless applications!

The first developer preview of Privacy Sandbox on Android

Posted by Fred Chung, Android Developer Relations

Blue graphic with privacy icons such as an eye, a lock, and cursor 

We recently announced the Privacy Sandbox on Android to enable new advertising solutions that improve user privacy, and provide developers and businesses with the tools to succeed on mobile. Since the announcement, we've heard from developers across the ecosystem on our initial design proposals. Your feedback is critical to ensure we build solutions that work for everyone, so please continue to share it through the Android developer site.

Today, we're releasing the first developer preview for the Privacy Sandbox on Android, which provides an early look at the SDK Runtime and Topics API. You'll be able to do preliminary testing of these new technologies and evaluate how you might adopt them for your solutions. This is a preview, so some features may not be implemented just yet, and functionality is subject to change. See the release notes for more details on what's included in the release.


What’s in the Developer Preview?

The Privacy Sandbox Developer Preview provides additional platform APIs and services on top of the Android 13 Developer Beta release, including an SDK, system images, emulator, and developer documentation. Specifically, you'll have access to the following:

  • Android SDK and 64-bit Android Emulator system images that include the Privacy Sandbox APIs. See the setup guide.
  • Device system images for Pixel 6 Pro, Pixel 6, Pixel 5a (5G), Pixel 5, Pixel 4, and Pixel 4a. This preview release is for developers only and not intended for daily or consumer use, so we're making it available by manual download only.
  • Developer guides for the SDK Runtime and Topics API.
  • Sample code that demonstrates the implementation of runtime-enabled SDKs and usage of the Topics API, available on GitHub.
  • Privacy Sandbox API reference.

Things you can try

When your development environment is set up, consider taking the following actions:

  • Familiarize yourselves with the technical proposals on the SDK Runtime, Topics, Attribution Reporting, and FLEDGE on Android.
  • Topics API: Invoke the API and retrieve test values, representing a user's coarse-grained interests. See the documentation for detail.
  • SDK Runtime: Build and install a runtime-enabled SDK on a test device or emulator. Create a test app to load the SDK in the runtime and request the SDK to remotely render a WebView-based ad in the app. See the documentation for detail.
  • Review and run the sample apps.
  • For details on capabilities and known limitations in this Developer Preview release, check out the release notes.

Over the coming months, we'll be releasing updates to the Developer Preview including early looks at the Attribution Reporting and FLEDGE APIs. For more information, please visit the Privacy Sandbox developer site. You can also share your feedback or questions, review progress updates so far, and sign up to receive email updates.

Happy testing!

The Package Analysis Project: Scalable detection of malicious open source packages

Posted by Caleb Brown, Open Source Security Team 

Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.

Google, a member of the Open Source Security Foundation (OpenSSF), is proud to support the OpenSSF’s Package Analysis project, which is a welcome step toward helping secure the open source packages we all depend on. The Package Analysis program performs dynamic analysis of all packages uploaded to popular open source repositories and catalogs the results in a BigQuery table. By detecting malicious activities and alerting consumers to suspicious behavior before they select packages, this program contributes to a more secure software supply chain and greater trust in open source software. The program also gives insight into the types of malicious packages that are most common at any given time, which can guide decisions about how to better protect the ecosystem.

To better understand how the Package Analysis program is contributing to supply chain security, we analyzed the nearly 200 malicious packages it captured over a one-month period. Here’s what we discovered: 

Results

All signals collected are published in our BigQuery table. Using simple queries on this table, we found around 200 meaningful results from the packages uploaded to NPM and PyPI in a period of just over a month. Here are some notable examples, with more available in the repository.

PyPI: discordcmd
This Python package will attack the desktop client for Discord on Windows. It was found by spotting the unusual requests to raw.githubusercontent.com, Discord API, and ipinfo.io.

First, it downloaded a backdoor from GitHub and installed it into the Discord electron client.


Next, it looked through various local databases for the user's Discord token.


Finally, it grabbed the data associated with the token from the Discord API and exfiltrated it back to a Discord server controlled by the attacker.

NPM: @roku-web-core/ajax

During install, this NPM package exfiltrates details of the machine it is running on and then opens a reverse shell, allowing the remote execution of commands.


This package was discovered from its requests to an attacker-controlled address.

Dependency Confusion / Typosquatting

The vast majority of the malicious packages we detected are dependency confusion and typosquatting attacks.


The packages we found usually contain a simple script that runs during an install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior.


These dependency confusion attacks were discovered through the domains they used, such as burpcollaborator.net, pipedream.com, interact.sh, which are commonly used for reporting back attacks. The same domains appear across unrelated packages and have no apparent connection to the packages themselves. Many packages also used unusual version numbers that were high (e.g. v5.0.0, v99.10.9) for a package with no previous versions.

  


Conclusions

The short time frame and low sophistication needed for finding the results above underscore the challenge facing open source package repositories. While many of the results above were likely the work of security researchers, any one of these packages could have done far more to hurt the unfortunate victims who installed them.

These results show the clear need for more investment in vetting packages being published in order to keep users safe. This is a growing space, and having an open standard for reporting would help centralize analysis results and offer consumers a trusted place to assess the packages they’re considering using. Creating an open standard should also foster healthy competition, promote integration, and raise the overall security of open source packages.
 
Over time we hope that the Package Analysis program will offer comprehensive knowledge about the behavior and capabilities of packages across open source software, and help guide the future efforts needed to make the ecosystem more secure for everyone. To get involved, please check out the GitHub Project and Milestones for opportunities to contribute.

Women Techmakers expands online safety education

Online violence against women goes beyond the internet. It impacts society and the economy at large. It leads to damaging economic repercussions, due to increased medical costs and lost income for victims. It impacts the offline world, with seven percent of women changing jobs due to online violence, and one in ten experiencing physical harm due to online threats, according to Google-supported research conducted by the Economist Intelligence Unit in 2020.

That’s why the Women Techmakers program, which provides visibility, community and resources for women in technology, supports online safety education for women and allies. Google community manager Merve Isler, who lives in Turkey and leads Women Techmakers efforts in Turkey, Central Asia and the Caucasus region, organized the first-ever women’s online safety hackathon in Turkey in 2020, which expanded to a full week of trainings and ideathons in 2021. Google community manager and Women Techmakers manager Hufsa Manawar brought online safety training to Pakistan in early 2022.

Now, Women Techmakers is providing a more structured way for women around the world to learn about online safety, in the form of a free online learning module, launched in April 2022, in honor of International Women’s Day. To create this module, I worked with my co-host Alana Fromm from Jigsaw and our teams to create a series of videos covering different topics related to women’s online safety. Jigsaw is a unit within Google that explores threats to open society and builds technological solutions.

In the online training, we begin by defining online violence and walking through the ways negative actors threaten women online, which include misinformation and defamation, cyberharassment and hate speech. Regardless of the tactic, the goal remains the same: to threaten and harass women into silence. We break down the groups of people involved in online harassment and the importance of surrounding oneself with allies.

In one of the videos in the series, Women Techmakers Ambassador Esrae Abdelnaby Hassan shares her story of online abuse. She was exploring learning cybersecurity when a mentor she trusted gave her USB drives with courses and reading material that were infected with viruses and allowed him to take control of her computer and record videos. Then, he blackmailed her, using the videos he’d taken as threats. She felt afraid and isolated, and relied on her family for support as she addressed the harassment.

The learning module provides two codelabs, one on steps you can take to protect yourself online, and one on Perspective API, a free, open-source product built by Jigsaw and the Counter Abuse security team at Google. The first codelab provides practical guidance, and the second codelab walks viewers through the process of installing Perspective API, which uses machine learning to identify toxic comments.

We look forward to seeing the impact of our new, easy-to-access online training, as well as what our ambassadors are able to accomplish offline as the year progresses.