Google has introduced ApplicationBound Encryption in Chrome 127 for Windows users to enhance security measures.

Description

This new feature encrypts data tied to app identity [1], similar to Keychain on macOS, to prevent unauthorized access [3] [5] [8] [9]. Leveraging the operating system’s Data Protection API (DPAPI) [5], the encryption method interweaves Chrome’s identity into encrypted data [10], making it harder for malicious apps to access [10]. Initially, only cookies will be migrated to this improved storage method [1], with plans to expand it to passwords [1], payment data [1] [3] [4] [6] [7] [8] [10], and other authentication tokens in the future [1] [4] [6]. The encryption key is strongly bound to the machine, making it unsuitable for environments where Chrome profiles roam between machines [10]. Organizations are advised to configure the ApplicationBoundEncryptionEnabled policy for roaming profiles [10]. The update also includes enhanced Safe Browsing [10], Device Bound Session Credentials [10], and automated scans for suspicious files [10]. This move comes after Google announced it would not deprecate third-party cookies in Chrome [10], raising concerns about tracking and data collection [10]. This update will implement application-bound encryption for cookies [6], similar to how macOS Keychain operates [3] [6]. The new security measure aims to make attacks harder and more likely to be detected, particularly in cases of session cookie theft [6]. Chrome 127 updates for Windows [2], macOS [2] [3] [4] [6] [7], and Linux also address high-severity flaws (CVE-2024-7255 and CVE-2024-7256) with Google urging immediate implementation of fixes despite lack of active exploitation [2]. This change is significant for Chrome users on Windows [6], as it represents a core OS-level security enhancement rather than just a browser update [6]. Enterprises that wish to support roaming profiles should follow current best practices and can use the ApplicationBoundEncryptionEnabled policy to configure app-bound encryption [9]. Chrome emits an event (ID 257) in the Application log when a failed verification occurs [9], helping to detect any incompatibilities and increase the cost of data theft for attackers [9]. This protection helps defenders define acceptable behavior for other apps on the system [9]. Antivirus programs like Bitdefender and Malwarebytes will be able to detect this new security approach [7]. Microsoft is considering making Mac-like changes to Windows security following a recent IT outage caused by a faulty update from CrowdStrike [7]. Chrome users are advised to update their browsers to the latest version to stay safe [7].

Conclusion

The introduction of ApplicationBound Encryption in Chrome 127 for Windows users represents a significant step towards enhancing security measures. This new feature [1] [3], along with other updates, aims to make attacks harder and more likely to be detected [6], particularly in cases of session cookie theft [6]. Organizations and users are advised to implement fixes and updates promptly to ensure their systems are protected. The future implications of these security enhancements may lead to further improvements in data protection and privacy for Chrome users.

References

[1] https://www.neowin.net/news/google-chrome-on-windows-will-get-a-new-layer-of-protection-for-cookies-and-passwords/
[2] https://www.scmagazine.com/brief/increased-cookie-protection-vulnerability-patches-introduced-in-chrome-update
[3] https://securityboulevard.com/2024/08/google-using-enhanced-encryption-to-protect-cookies/
[4] https://www.bitdefender.com/blog/hotforsecurity/google-chrome-plans-to-thwart-infostealer-malware-via-app-bound-encryption/
[5] https://securityonline.info/google-chrome-strengthens-cookie-security-on-windows-with-app-bound-encryption/
[6] https://www.forbes.com/sites/zakdoffman/2024/07/31/google-chrome-update-warning-1-billion-microsoft-windows-10-windows-11-users/
[7] https://www.digitaltrends.com/computing/keep-sensitive-data-safe-with-this-critical-chrome-update/
[8] https://duo.com/decipher/google-enables-app-bound-encryption-in-chrome
[9] https://cybersecuritynews.com/google-chrome-now-prevent-users-from-cookie-steal-malware-on-windows/
[10] https://thehackernews.com/2024/08/google-chrome-adds-app-bound-encryption.html