Category Archive : macOS

Are you ready for macOS 11 Big Sur? – Houston Chronicle

Nineteen years ago, Apple transitioned the Mac from its original (classic) operating system to a more modern, UNIX-based operating system known as Mac OS X (which is pronounced “Mac OS Ten”).

Since then, there have been 15 major releases. The first eight were named for jungle cats from version 10.0 Cheetah through version 10.8 Mountain Lion. The next seven were named for California landmarks starting with version 10.9 Mavericks through version 10.15 Catalina.

Now, after nearly two decades of version X variants, Apple is about to turn the volume up to 11 (sorry about that, Spinal Tap fans) by introducing version 11.0, aka macOS Big Sur.

On HoustonChronicle.com: Read more from Dr. Mac, Bob Levitus

Apple hasn’t announced Big Sur’s release date yet. Still, history indicates it’ll be very soon since version 10.15 Catalina shipped on Oct. 11, 2019, and versions 10.11 El Capitan through 10.14 Mojave were all released in September of their respective years (2015-2018).

So, here’s my advice: Do not install the first release unless you have plenty of time to troubleshoot and research the inevitable issues that always plague the first (or “point-zero”) release of most software.

I’ve been using prerelease versions of Big Sur since June. And, while the latest beta release hasn’t caused me any grief, your Mac and third-party software aren’t the same as mine.

I can’t predict the future. It’s possible version 11.0 Big Sur will ship with zero bugs and that everyone’s upgrade will be quick, easy and painless. While that’s possible, I consider it highly unlikely.

There is one last thing: If you upgrade a disk to Big Sur, there is no easy way to downgrade to Catalina. You’ll almost certainly need to erase the disk, reinstall macOS 10.15 Catalina, and then restore data from a backup. Unless you have a clone of your startup disk (see Dr. Mac 9/27/2020), you’re facing several frustrating hours without your Mac.

Release Notes: Get Dwight Silverman’s weekly tech newsletter in your inbox each Monday

I’ve been doing this for a long, long time, and I can’t recall a single “point-zero” release that was totally bug-free. Each new release of macOS fills my inbox with email messages from readers sorry they ignored my advice.

So, do me a favor this year and follow my advice. When Apple releases Big Sur next month, just say no. Ignore all the annoying notifications, badges, and emails you’re sure to receive, all extolling Big Sur’s virtues and tantalizing you with cool new features.

Remember that those cool new features will still be there in a month or two when you install version 11.1 or 11.2. By then, the most egregious bugs should be exterminated, and third-party developers should have eradicated any Big Sur-related bugs they’ve discovered in the apps upon which you depend.

boblevitus@mac.com

The Best Package Tracking App for iOS and macOS – The New York Times


A screen showing deliveries scheduled within the Deliveries iOS app.
Photo: Michael Hession

Our pick

Parcel

Easy to use and quick to update, Parcel has everything you need to stay on top of shipments from USPS, FedEx, UPS, and more.

Buying Options

Parcel, for iOS and macOS, is the most full-featured, easiest-to-use package tracking app available for Apple devices. It takes only seconds to add tracking numbers in a variety of ways, and the understated design lets you easily see where your deliveries are and when they’ll reach their destination. Push alerts generally come faster than with other tracking apps, and the app syncs across all Apple devices and Parcel’s website. Parcel charges $3 a year if you want to track more than three packages at once, but unlike all of the apps in our test group that don’t charge a fee, Parcel doesn’t comb through your email to collect personal data and sell it to advertisers. We think privacy is worth paying for.

The ability to quickly and easily add a tracking number is the most important feature of any package tracking app, and Parcel offers multiple ways for you to do so, each of which is as simple as (or even simpler than) the corresponding option in any other app. If you’re just receiving packages, the first method you’ll probably use is manually adding a tracking number. You can do so inside the app or with a long press of the app icon on your homescreen. If you have a tracking number already copied, Parcel will automatically recognize it; if not, you can manually type in the number. Or, if you have the shipping-label barcode, you can simply scan it by pressing the barcode icon.

Three screens from the Parcel iOS app showing different parts of the package tracking process.
Parcel lets you easily see your in-progress and delivered packages (left), as well as detailed information on their routes (center). It also has a simple screen for adding new tracking numbers (right).

No matter how you add your number, Parcel almost always recognizes the package-carrier service (it supports more than 300) instantly and correctly, automatically filling the name in without your input. In some cases, when two carriers both use the same tracking number, you may need to select the correct one. This three-step number-entry process—tap, enter the number or scan, and confirm—is the simplest of any app we tested. Other apps we tested required us to choose the carrier as well, making the process take just a little longer. In Parcel, you can also choose to add a description to any shipment, such as the name of the item inside or who the package is for, but it’s not required.

In addition to copying and pasting a tracking number or scanning a barcode, Parcel allows you to forward emails with shipment information to a unique address. From there, it automatically adds the tracking number to the app. This isn’t the only app that has such a feature (our runner-up pick, Deliveries, does as well), but Parcel provides clear instructions on how to set up automatic-forwarding rules for Gmail and iCloud accounts, which means less work on your part to look it up or otherwise figure it out. (If you forward emails from Amazon, you can log in to your Amazon account through the Parcel app to have it pull in the name of the item that’s shipping. The developer told us that the app doesn’t store any of the login information itself; rather, the information is stored on-device. In our testing, the app didn’t always keep us logged in.)

Parcel displays all your deliveries in a single list (with rather drab, uniform coloring), and when packages have a known arrival date, it shows a countdown next to each such listing. You can sort the list by when the tracking was last updated, the date items were added, the estimated delivery date, or alphabetically. The app also has a filter to show all deliveries, active deliveries, recent deliveries, or completed deliveries; in testing, we found selecting active deliveries to be particularly helpful, although you may want to see completed deliveries depending on what you’re using the app for. At any time, you can have 50 active shipments being tracked, or 200 total, including completed deliveries. Once you reach the limit, you need to delete old, completed deliveries in order to add new ones.

A video clip showing an iPhone screen recording of scanning a barcode and setting up package tracking within the Parcel iOS app.
Scanning a tracking number in Parcel is almost instantaneous, and the app automatically detects the delivery company. Video: Nick Guy

Tapping on any delivery pulls up its tracking history, as well as a map charting its geographical progress from sender to recipient. The menu in the top right of the screen offers a number of helpful options, including contacting the shipper’s customer service phone line and sharing the shipment information. Parcel allows you to send tracking information to anyone, whether they have the app or not—when you tap the share button, it automatically generates a webpage with the full tracking info. The Deliveries app, on the other hand, requires the recipient to have the app installed to see what you share.

Once we narrowed our finalists to Parcel and Deliveries, we made sure they each had the same set of tracking numbers entered so that we could see how they compared over the course of several deliveries. We discovered that, in almost every case, Parcel would send us push notification updates before Deliveries, which seemed to do periodic checks of all the numbers it was tracking and send a slew of updates at once. It’s true that most updates aren’t very important or time-sensitive—do you really need to know right away that your new iPad has arrived at the FedEx hub in Memphis?—but if Parcel can let you know that a package has made it to your door faster than the competition, that’s a real advantage, especially if you live in an area where packages tend to get snatched. By default, you receive notifications only between 8 a.m. and 10 p.m., but you can toggle that setting to get alerts whenever a package has an update.

Parcel is available on every major Apple platform: iPhone, iPad, Mac, and Apple Watch (alas, there’s no Apple TV app). There’s also a web app that you can pull up from any browser. All of these stay in sync thanks to Parcel’s own cloud service, not iCloud. The app’s developer, Ivan Pavlov, has kept the software well updated and has been quick to add new features, introducing them with each version of iOS. Parcel works with Siri voice-control shortcuts, and it has a widget for iOS 14 that can show the status of a handful of shipments on your homescreen.

Most package tracking apps are free to download, with an annual subscription cost of $5 or less. Parcel costs $3 annually, although if you want to try it out before you buy, you can track up to three packages at a time without paying. Because almost all the apps we considered are inexpensive, price wasn’t a deciding factor for us. The nominal cost is absolutely worth it for what you get.

‘GravityRAT’ Windows spyware modified to infect macOS, Android – AppleInsider

A strain of malware called GravityRAT, known for spying on Windows machines, has been adapted to infect both Android and macOS devices, according to a new report.

Although most remote access trojans (RAT) target Windows devices, ones that affect Macs have surfaced from time to time. In the case of GravityRAT, it appears that the group responsible for the malware have introduced support for both the macOS and Android operating systems.

Security researchers at Kaspersky have discovered an updated strain of GravityRAT while analyzing an Android spyware app. During the analysis, the researchers identified a server used by two other malicious apps targeting Windows and macOS.

“Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players,” the researchers wrote.

GravityRAT is spyware known for checking the CPU temperature of computers in an effort to detect running virtual machines. Malicious code dropped by the RAT can be used to perform a range of cyber espionage, however.

According to Kaspersky, the trojan can allow attackers to send commands that get information about a system; search for files on a machine; intercept keystrokes; take screenshots; execute arbitrary shell commands; and get a list of running processes.

The researchers found apps written in Python, Electron, and .NET that will download GravityRAT payloads from a command and control server. From there, the malware adds scheduled tasks to gain persistence. Oftentimes, the malicious apps are clones of legitimate ones.

It’s unclear who exactly developed and maintains the GravityRAT malware, though it’s largely thought to be tied to Pakistani hacker groups who have used it to target Indian military and police organizations.

Who’s at risk and how to protect yourself

Although researchers discovered about 100 successful attacks using GravityRAT between 2015 and 2018, it appears that most of these have been highly targeted.

For example, defense and police employees in India were tricked into installing a “secure messenger” via Facebook, The Times of India reported.

Kaspersky notes that the exact infected vector is unknown, but targets are likely being directly sent download links to the infected trojans.

What that means in practice is that the average macOS user is likely safe from the RAT. Unless one is a target, security best practices such as avoiding shady links and only downloading apps from trusted app stores is likely enough to mitigate the threat.

GravityRAT Comes Back to Earth with Android, macOS Spyware – Threatpost

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Will macOS 11 Big Sur Run On Your Mac? Find Out Here – Forbes

Apple MacBook Air on red background

MacBook Air support goes back seven years

Future via Getty Images

It feels like we’re just days away from the full release of macOS 11 Big Sur. Apple’s next-generation operating system is in its tenth developer beta, edging closer and closer to general availability.

The past seven releases of macOS have come out in either September or October, with the October 22 release of OS X 10.9 (Mavericks) being the latest in the year of all of those. This year has obviously posed its own unique challenges, but it seems odds on that Big Sur is set for imminent release.

My colleague Dave Phelan has written a brilliant piece explaining many of the new features found in macOS 11. If that’s got you checking the software update setting on a daily basis, waiting for the new operating system to come down the pipe, you might first want to check that your Mac is compatible with macOS 11.

Apple is very good at supporting older Macs with new operating system releases, but every new version raises the drawbridge on some older systems.

Macs capable of running Big Sur

Here, then, is the definitive list of systems that will be able to run macOS 11:

Recommended For You

MacBook – early 2015 or newer

MacBook Air – mid 2013 or newer

MacBook Pro – late 2013 or newer

Mac Mini – late 2014 or newer

iMac – Mid 2014 or newer

iMac Pro – all versions

Mac Pro – Late 2013 or newer

It’s important to note that even if your Mac is on the compatible list, it might not support all features or run the new OS particularly well. If your Mac is near the cut-off date (ie. you’re running a 2013 vintage MacBook Air), it’s unlikely performance is going to be sparkling when running macOS 11.

It’s also worth noting that macOS 11 will be the first version of the Apple operating system to support Macs based on Apple silicon, as well as Intel processors. Although Apple has pledged to continue supporting Macs with Intel processors for “years to come”, it seems unlikely that it’s going to continue supporting them for the next seven years, unlike some of the older Macs still supported by macOS 11.

Sony cameras gain Mac webcam support with Imaging Edge software – 9to5Mac

This year we’ve seen a host of camera manufacturers release support for using their hardware as a Mac webcam. Now Sony is the latest to debut support.

So far we’ve seen Mac webcam software arrive from Canon, Fujifilm, Olympus, and also the handy Reincubate Camo that lets you use your iPhone as your Mac’s camera.

It’s of course a handy way to improve your Mac’s camera for video calls without having to buy a dedicated webcam with prices going up to $200 for 4K ones.

After previously launching for Windows in August, Sony has joined the Mac party today (via MacRumors) making its Imaging Edge Webcam software available for Apple’s desktops and notebooks.

The Imaging Edge Webcam software for Mac supports over 30 of Sony’s cameras. It requires at least macOS 10.13 and supports macOS Catalina (10.15) but notably doesn’t mention compatibility with macOS Big Sur for now. Download it for free from Sony’s website here.

Read more on Mac webcam options:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Download latest macOS Big Sur wallpapers here ahead of public release – 9to5Mac

Apple today released the tenth beta of macOS Big Sur to developers and besides some changes for AirPods users, today’s update brings multiple new wallpapers to the Mac operating system — which already had two new wallpapers since its first beta.

There are 11 new wallpapers available in the macOS Big Sur beta 10, or 13 new wallpapers if you consider the other two previous ones. Most of the new wallpapers are photos of the Big Sur region, including photos of mountains, horizons, plants, and stones. There’s also a new abstract wallpaper called “Iridescence” with light and dark versions available.

macOS Big Sur remains available exclusively as a beta software as Apple has not yet said when the update will be officially released to the public. However, the addition of new wallpapers suggests that the public release is approaching.

According to rumors, Apple will hold another special event in November to introduce new Macs, including the first Mac with Apple Silicon. It’s likely that the company will officially release macOS Big Sur after this event.

Until then, you can download all the new macOS Big Sur wallpapers here on 9to5Mac. Just right-click or long-press on the image you want to choose below and open in a new tab, then long press again to ‘Save’ on iOS or ‘Save image as’ on macOS.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Five new Mac models pop up in regulatory documents, suggesting imminent release – AppleInsider

An international regulator is showing five unannounced Apple Mac models running macOS Big Sur, although unusually, the new listing also includes multiple Macs and iOS devices that have previously been registered.

Four new entries in the Eurasian Economic Commission’s regulatory database together list a total of 64 Apple devices — though only five have not appeared before. It’s unusual to see so many re-listings, and the EEC database does not explain them, but the new devices are required to be listed before they can go on sale.

All five of the entirely new entries are Macs listed, in translation, as “personal computers of the Apple trademark, and spare parts for it.” They are running “macOS software version 11.0.” These new devices have the model numbers A2348, A2438, A2439, A2337, and A2338.

Also listed and not yet released are Macs with macOS Big Sur model numbers A2147, A2158, and A2182. These three were previously listed on the EEC database in June 2019.

Given that this original date comes before the release of macOS Catalina, it’s possible that the re-listings are all to do with the devices now being registered as coming with macOS Big Sur installed.

Extract from the EEC database showing four new sections, each containing very many repeat listings — but some new Macs

Extract from the EEC database showing four new sections, each containing very many repeat listings — but some new Macs

Similarly, the EEC database shows 39 iOS devices as being new, but all are either existing devices or if they are yet to be released, have previously been listed. The nine iOS devices that have yet to be released were all listed in June 2020.

It’s likely that these refreshed iOS listings are in reality for the “iPhone 12” range that is expected to be launched at Apple’s “Hi, Speed” event. The timing of the re-listing is likely to be coincidence, however, and there is no way to deduce from EEC entries when the new Macs will be released.

Bloomberg: First Mac With Apple Silicon Will Be Announced in November – MacRumors

Apple is set to host its next event on Tuesday, October 13, where it is widely expected to unveil its iPhone 12 lineup and more, but those waiting for the first Apple Silicon Mac may have to be patient for a little bit longer.


Bloomberg‘s Mark Gurman today reported that the first Mac with a custom Apple Silicon processor will be announced as part of “another launch” in November. Gurman said this Mac will be a notebook, but rumors have conflicted on whether it will be a new 13-inch MacBook Pro, a new MacBook Air, or a revived 12-inch MacBook.

Gurman previously said the first Apple Silicon Mac would be announced “by” November, but today’s wording narrows this down to “in” November, making it unlikely that we will be hearing about Apple Silicon Macs at next week’s Apple event.

During its WWDC keynote in June, Apple announced that it will be switching from Intel to its own custom-designed processors for Macs starting later this year, promising industry-leading performance per watt. At the time, Apple said that it plans to ship the first Mac with Apple Silicon by the end of the year and complete the transition in about two years.

Apple Silicon processors are based on Arm architecture, meaning that future Macs will be able to run thousands of iPhone and iPad apps without any recompilation. These apps will be distributed through the Mac App Store, unless a developer opts out.

Chrome 86 brings password protections for Android and iOS, VP9 for macOS Big Sur – VentureBeat


Google today launched Chrome 86 for Windows, Mac, Linux, Android, and iOS. Chrome 86 brings password protections for Android and iOS, VP9 for macOS Big Sur, autoupgrades for insecure forms, File System Access API, focus indicator improvements, and a slew of developer features. You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed. Chrome 86, for example, deprecates support for FTP URLs, starting with 1% of users and ramping up to 100% by Chrome 88.

Security improvements on Android and iOS

Chrome for Android and iOS now tells you if the passwords you’ve asked Chrome to remember have been compromised. Chrome sends an encrypted copy of your usernames and passwords to Google, which checks them against lists of credentials known to be compromised. Because they are encrypted, Google cannot see your username or password, the company claims. If you have a compromised password, Chrome will take you directly to the right “change password” form.

The last part works if the website in question has set a well-known URL for changing passwords (such as domain.com/change-password). The purpose of the URL is to redirect users to the actual change password page. For more information, see “Help users change passwords easily by adding a well-known URL for changing passwords.”


You can’t solo security
COVID-19 game security report: Learn the latest attack trends in gaming. Access here


Google also announced today it plans to bring Safety Check, first introduced in Chrome 83, to mobile. In addition to handling compromised passwords for you, Safety Check also flags whether Google’s Safe Browsing service is turned off and your Chrome version is up-to-date.

Android

Chrome 86 for Android is rolling out slowly on Google Play. The changelog isn’t available yet — it merely states that “This release includes stability and performance improvements.”

We do know, however, that Chrome for Android now has Google’s Enhanced Safe Browsing, which the company brought to Chrome for desktop earlier this year. Safe Browsing protects over 4 billion devices by providing lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to internet service providers (ISPs). Enhanced Safe Browsing takes that a step further with more proactive and tailored protections from phishing, malware, and other web-based threats. If you turn it on, Chrome proactively checks whether pages and downloads are dangerous by sending information about them to Google Safe Browsing.

If you’re signed in to Chrome, Enhanced Safe Browsing will further protect your data in Google apps you use (Gmail, Drive, etc.) “based on a holistic view of threats you encounter on the web and attacks against your Google Account.” Of those users who have enabled checking websites and downloads in real time, Google says its predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites.

iOS

Chrome 86 for iOS meanwhile is out on Apple’s App Store with the usual “stability and performance improvements.” Here is the full changelog:

  • You can now make Chrome your default browser.
  • You can check if your saved passwords have been compromised and, if so, how to fix them. Go to Chrome settings > passwords > check passwords.
  • You now have more sharing, opening and other options when you tap and hold on Bookmarks, history, recent tabs, and read later.
  • You’ll see improvements to the personalized stories on your new tab page.
  • If you have “Make searches and browsing better” turned on, Chrome will offer some additional protection by checking known phishing websites with Google in real time.

Google also promises that the next Chrome for iOS release will add more password features. There will be a biometric authentication step before autofilling passwords — you’ll be able to authenticate using Face ID, Touch ID, or your phone passcode.

Chrome for iOS autofill

You will soon also be able to autofill saved login details into other apps or browsers.

VP9 for macOS Big Sur

Chrome 86 brings the VP9 video codec to macOS Big Sur whenever it’s supported in the underlying hardware. VP9 is the successor to VP8, both of which fall under Google’s WebM project of freeing web codecs from royalty constraints.

If you use the Media Capabilities API to detect playback smoothness and power efficiency, the logic in your video player should automatically start preferring VP9 at higher resolutions. To take full advantage of this feature, Google recommends that developers encode their VP9 files in multiple resolutions to accommodate varying user bandwidths and connections.

Autoupgrading mixed content

Google has been coaxing developers to avoid HTTP in a bid to get the web to HTTPS. While Chrome users spend over 90% of their browsing time on HTTPS, Google isn’t done yet. Chrome 79 introduced a setting to unblock mixed scripts, iframes, and other types of content that the browser blocks by default. Chrome 80 started autoupgrading mixed audio and video resources in HTTPS sites by rewriting URLs to HTTPS without falling back to HTTP when secure content is not available. Chrome 81 started autoupgrading mixed images to HTTPS.

Chrome insecure form warning

Chrome 86 now autoupgrades forms that don’t submit data securely. Chrome for desktop and Android will show you a mixed form warning before you submit a non-secure form that’s embedded in an HTTPS page. Chrome 86 will also block or warn on insecure downloads initiated by secure pages for commonly abused file types. Secure pages will eventually only be able to initiate secure downloads of any type.

HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.

Google’s ultimate goal is to ensure HTTPS pages in Chrome can only load secure HTTPS subresources. If you’re a developer looking to clean up your mixed content, check out the Content Security Policy, Lighthouse, and this HTTPS guide.

Security fixes

Chrome 86 implements 35 security fixes. The following were found by external researchers:

  • [$N/A][1127322] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
  • [$5000][1126424] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
  • [$500][1124659] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
  • [$N/A][1108299] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
  • [$N/A][1114062] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
  • [$TBD][1115901] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
  • [$TBD][1133671] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [$TBD][1133688] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [$15000][1106890] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
  • [$7500][1104103] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
  • [$7500][1110800] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
  • [$7500][1123522] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-08-31
  • [$5000][1083278] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
  • [$5000][1097724] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (https://twitter.com/imnarendrabhati) on 2020-06-22
  • [$5000][1116280] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
  • [$5000][1127319] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-09-11
  • [$3000][1092453] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab (腾讯安全玄武实验室) on 2020-06-08
  • [$3000][1123023] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
  • [$2000][1039882] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [$N/A][1076786] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
  • [$TBD][1080395] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
  • [$N/A][1099276] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
  • [$N/A][1100247] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
  • [$N/A][1127774] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
  • [$N/A][1110195] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
  • [$500][1092518] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
  • [$N/A][1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22

Google thus spent at least $72,000‬ in bug bounties for this release, a massive amount compared to its usual spend. As always, the security fixes alone should be enough incentive for you to upgrade.

Developer features

The File System Access API, first available as an Origin Trial, is now available in Chrome 86. The API lets developers build powerful web apps that interact with files on the user’s local device such as IDEs, photo and video editors, text editors, and so on.

focus indicator improvements

Chrome 86 introduces two improvements for focus indicator, a crucial feature for users who rely on assistive tech to navigate the web. The first is a CSS selector, :focus-visible, which lets a developer opt-in to the same heuristic the browser uses when it’s deciding whether to display a default focus indicator. The second is a user setting called Quick Focus Highlight, a setting that causes an additional focus indicator to appear over the active element. Importantly, this indicator will be visible even if the page has disabled focus styles with CSS, and it causes any :focus or :focus-visible styles to always be displayed.

Chrome offers Origin Trials, which let you try new features and provide feedback to the web standards community. Chrome 86 has five new Origin Trials: WebHID API, cross-screen window placement, battery-savings meta tag, secure payment confirmation, and Cross-Origin-Opener-Policy Reporting API.

As always, Chrome 86 includes the latest V8 JavaScript engine. V8 version 8.6 brings a more respectful code base, open sourced JS-Fuzzer, speed-ups in Number.prototype.toString, SIMD on Liftoff, and faster Wasm-to-JS calls. Check out the full changelog for more information.

Other developer features in this release include:

  • Altitude and Azimuth for PointerEvents v3: Adds Altitude and Azimuth angles to PointerEvents. Adds tiltX and tiltY to altitude and azimuth transformation and altitude and azimuth to tiltX and tiltY transformation, depending on which pair is available from the device. These angles are those commonly measured by devices. Altitude and azimuth can be calculated using trigonometry from tiltX, tiltY. From a hardware perspective it is easier and less expensive to measure tiltX and tiltY.
  • Change Encoding of Space Character when URLs are Computed by Custom Protocol Handlers: The navigator.registerProtocolHandler() handler now replaces spaces with “%20” instead of “+”. This makes Chrome consistent with other browsers such as Firefox.
  • CSS ::marker Pseudo-Element: Adds a pseudo-element for customizing numbers and bullets for <ul> and <ol> elements. This change lets developers control the color, size, bullet shape, and number type.
  • Document-Policy Header: Document Policy restricts the surface area of the web platform on a per-document basis, similar to iframe sandboxing, but more flexibly.
  • EME persistent-usage-record Session: Adds a new MediaKeySessionType named “persistent-usage-record session”, for which the license and keys are not persisted and for which a record of key usage is persisted when the keys available within the session are destroyed. This feature may help content providers understand how decryption keys are used for purposes like fraud detection.
  • FetchEvent.handled: A FetchEvent dispatched to a service worker is in a loading pipeline, which is performance sensitive. The new FetchEvent.handled property returns a promise that resolves when a response is returned from a service worker to its client. This enables a service worker to delay tasks that can only run after responses are complete.
  • HTMLMediaElement.preservesPitch: Adds a property to determine whether the pitch of an audio or video element should be preserved when adjusting the playback rate. This feature is wanted for creative purposes (for example, pitch-shifting in “DJ deck” style applications). It also prevents the introduction of artifacts from pitch-preserving algorithms at playback speeds very close to 1.00. It is already supported by Safari and Firefox.
  • Imperative Shadow DOM Distribution API: Web developers can now explicitly set the assigned nodes for a slot element. For information on how the new API solves these issues, see the Imperative Shadow DOM Distribution API explainer.
  • Move window.location.fragmentDirective: The window.location.fragmentDirective property has been moved to document.fragmentDirective. This is a change to the text fragments feature.
  • New Display Values for the <fieldset> Element: The <fieldset> element now supports ‘inline-grid’, ‘grid’, ‘inline-flex’, and ‘flex’ keywords for the CSS ‘display’ property.
  • ParentNode.replaceChildren() Method: Adds a method to replace all children of the ParentNode with the passed-in nodes.
  • Safelist Distributed Web Schemes for registerProtocolHandler(): Chrome has extended the list of URL schemes that can be overridden via registerProtocolHandler() to include cabal, dat, did, dweb, ethereum, hyper, ipfs, ipns, and ssb. Extending the list to include decentralized web protocols allows resolution of links to generic entities independently of the website or gateway that’s providing access to it. For more information, see Programmable Custom Protocol Handlers at are we distributed yet?
  • text/html Support for the Asynchronous Clipboard API: The Asynchronous Clipboard API currently does not support the text/html format. Chrome 86 adds support for copying and pasting HTML from the clipboard. The HTML is sanitized when it is read and written to the clipboard. This is also intended to help the replacement of document.execCommand() for copy and paste functionality.
  • WebRTC Insertable Streams: Enables the insertion of user-defined processing steps in the encoding and decoding of a WebRTC MediaStreamTrack. This allows applications to insert custom data processing. An important use case this supports is end-to-end encryption of the encoded data transferred between RTCPeerConnections via an intermediate server.

For a full rundown of what’s new, check out the Chrome 86 milestone hotlist.

Google releases a new version of its browser every six weeks or so. Chrome 87 will arrive in mid-November.