Google has released Chrome 135, alongside a stable update for Chromium, the open-source foundation of Chrome. While Chromium serves as the core, Chrome adds proprietary features such as Google branding, crash-notification systems, DRM support for protected video playback, automatic updates, built-in Sandbox isolation, Google API keys, and so on. For those needing more time to upgrade, the Extended Stable branch remains available for 8 weeks. The next version, Chrome 136, is slated for release on April 29.
Advertisеment
Key Changes in Chrome 135
1. Enhanced Privacy with HSTS Cache Protection:
Chrome 135 introduces safeguards against covert user identification via the HSTS (HTTP Strict Transport Security) cache. HSTS allows websites to redirect users from HTTP to HTTPS, storing hostnames in an internal cache. Malicious actors could exploit this by using arrays of images hosted on different domains to encode user IDs. Chrome now blocks HSTS updates for subresource requests, limiting updates to top-level resources only. This prevents hidden tracking through cached HSTS data.
2. AI-Powered Password Security
A locally executed machine learning model improves detection of password fields and automates compromised password changes. If Chrome detects a vulnerable password during login, it warns the user and offers to generate a strong replacement. Upon approval, Chrome updates the password on the site, saves it to the password manager, and uses AI to fill out necessary forms. This feature ensures seamless and secure password management.
3. Fraud Detection with Large Language Models (LLMs)
In Enhanced Protection mode, Chrome now leverages LLMs to analyze page content for potential fraud. The AI runs locally, but suspicious pages trigger additional server-side checks. If confirmed, users receive a warning. Currently, this feature applies to pages using the Keyboard Lock API.
4. Synced Extensions Across Devices
Users who link Chrome to their Google account can now sync installed extensions to their account. These extensions automatically load on all devices where the user is signed in. Additionally, synced settings, shortcuts, and themes are stored separately from local configurations. Disabling Chrome Sync no longer affects local settings, ensuring a smooth transition between synced and standalone modes.
5. Unified Password Manager on Android
The Android version of Chrome replaces its built-in password manager with the unified Google Password Manager, accessible via Google Play. Users can export old password data in CSV format for migration to alternative managers.
6. Stricter Cookie Controls in Incognito Mode
Incognito mode now enforces browser-level blocking of third-party cookies, which advertisers and analytics tools often use to track users across sites. While site-side cookie management remains unchanged, the BlockThirdPartyCookies setting cannot be disabled in incognito mode, ensuring enhanced privacy for private browsing sessions.
7. Closed vulnerabilities and bug bounty rewards
In addition to improvements and bug fixes, the new version closes 14 vulnerabilities. Many of the vulnerabilities were identified as a result of automated testing with the tools AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer and AFL . No critical issues were identified that would allow bypassing all levels of browser protection and executing code in the system outside the sandbox environment.
As part of the program for paying cash rewards for detecting vulnerabilities for the current release, Google has paid out 8 rewards totaling $17,000 (one reward of $10,000 and two rewards of $2,000, $1,000 and $500).
You can get Chrome from its home page.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
