Chrome 63 Enters Stable Channel – Rolling Out to Windows, macOS and Linux with New Features & 37 Security Fixes

Google has started to roll out Chrome 63 to Mac, Windows, and Linux today following an early release for Android. The update brings a number of feature improvements along with security patches to over 37 vulnerabilities.

As reported earlier, the latest version of Chrome brings a redesigned chrome://flags page, changes to permissions drop down, and minimal UI for web apps, along with other small changes and performance improvements. The update for Android had also brought support for Android 8 Oreo’s Smart Text Selection features along with an improved Chrome Home design.

RelatedChrome 63 Overhauls Security and Redesigns Bookmark Manager On Mac, Windows, Linux, Chrome OS

Chrome 63 promoted to stable channel for desktop

“The Chrome team is delighted to announce the promotion of Chrome 63 to the stable channel for Windows, Mac and Linux,” Krishna Govind of Google Chrome development team announced this evening. “This will roll out over the coming days/weeks.” The update notably brings a slew of security features for enterprise customers, including:

More details on the above features are available over at Google.

Today’s release brings Chrome to build 63.0.3239.84 and along with security features also contains a number of security fixes. Google has paid over $45,000 in bug bounties to researchers who reported and helped the company patch up security issues. These include a critical security vulnerability along with several rated as High Severity. Here are all the security issues that were fixed:

[$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26

RelatedChrome 63 Goes Live with New Flags Page, Changes to Home UI, Improved Stability and Performance

[$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-09-06

[$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11

[$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16

[$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by

Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
[$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by

Nick Wellnhofer on 2017-05-27
[$500][766666] High CVE-2017-15413: Type confusion in WebAssembly.

Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19

[$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15

[$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28

[$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07

[$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs on 2017-09-15

[$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31

[$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-23

[$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13

[$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25

[$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16

[$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-08-17

[$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-08-18

[$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan ( on 2017-09-2

Since the update can take up to a few weeks to reach out to your devices, you can also download this APK signed by Google itself for your devices (Android only).

Tweet Share


Ready to See ISPs Cheering? Here's How to Watch Ajit Pai Vote to Repeal Net Neutrality [Livestream]

Galaxy S9 Rumored to Fail Testing Phase - Might Feature the Same Bezels as the Galaxy S8

Facing Issues With Multi Touch Feature After Updating To Android 8.1? You're Not Alone

Essential Phone To Get Double Tap To Wake and EIS Features, Project Treble For Faster Updates

AMD Readies Mobility Aimed Ryzen 5 and Ryzen 3 APUs With Vega 11 and Vega 8 Graphics - Will Launch in 65W - 35W Variants