Chrome 63 Enters Stable Channel – Rolling Out to Windows, macOS and Linux with New Features & 37 Security Fixes


Google has started to roll out Chrome 63 to Mac, Windows, and Linux today following an early release for Android. The update brings a number of feature improvements along with security patches to over 37 vulnerabilities.

As reported earlier, the latest version of Chrome brings a redesigned chrome://flags page, changes to permissions drop down, and minimal UI for web apps, along with other small changes and performance improvements. The update for Android had also brought support for Android 8 Oreo's Smart Text Selection features along with an improved Chrome Home design.

Chrome 64 Enters Beta Channel, Brings Better Security Features, Resize Observer API, and Windows 10 HDR

Chrome 63 promoted to stable channel for desktop

"The Chrome team is delighted to announce the promotion of Chrome 63 to the stable channel for Windows, Mac and Linux," Krishna Govind of Google Chrome development team announced this evening. "This will roll out over the coming days/weeks." The update notably brings a slew of security features for enterprise customers, including:

  • Site Isolation: For enterprises with the highest security needs
  • Ability to restrict extensions based on required permissions
  • Rolling out version 1.3 of Transport Layer Security (TLS) and policy
  • Broader platform support for the NTLMv2 authentication protocol
  • Reducing Chrome crashes caused by third-party software (admins can check through chrome://conflicts)

More details on the above features are available over at Google.

Today's release brings Chrome to build 63.0.3239.84 and along with security features also contains a number of security fixes. Google has paid over $45,000 in bug bounties to researchers who reported and helped the company patch up security issues. These include a critical security vulnerability along with several rated as High Severity. Here are all the security issues that were fixed:

[$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26

[$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent's Xuanwu LAB on 2017-09-06

[$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11

[$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16

[$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by

Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
[$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by

Nick Wellnhofer on 2017-05-27
[$500][766666] High CVE-2017-15413: Type confusion in WebAssembly.

Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19

[$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15

[$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28

[$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07

[$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15

[$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31

[$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23

[$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13

[$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25

[$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16

[$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2017-08-17

[$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18

[$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan ( on 2017-09-2

Since the update can take up to a few weeks to reach out to your devices, you can also download this APK signed by Google itself for your devices (Android only).