Microsoft: “We found the following scenarios to be severely degraded…”
Chrome 78, the latest build of the world’s most widely used web browser, “severely degrades” Microsoft cloud services, Microsoft warned today.
Chrome 78 users are likely to find themselves locked out of the Azure portal, unable to sign into websites that use the Microsoft .NET framework and more, Microsoft said, adding that Google has yet to share a date for a fix.
A beta release of the Chrome 78 build was made available Thursday September 19. Google plans to push out a stable release October 22.
Microsoft strongly urged customers to avoid using Chrome 78 until a full-fat version of the browser is generally available with a fix for the issue – which breaks authentication flows based on the OpenID Connect standard.
Chrome 78: What’s Happening?
The issue stems from Google’s to tackle tracking cookie abuse and cross-site request forgery (an attack that tricks an end user into executing unwanted actions on a web application) through a standard known as SameSite.
The company recognises that roll-out may be problematic, saying “some sites relying on third-party cookies may break temporarily until developers add “SameSite=None”.
Testing of the new Chrome version by Microsoft revealed that the following services were “severely degraded”, the company said.
- “Signing in to important sites such as the Azure portal fails and generates an error.
- “Signing in to Microsoft Power BI enters a loop and eventually generates an error.
- “Sign-out messages from certain sites indicate a successful sign-out. However, the cookie clearing process fails, and this keeps the user signed in.
- Signing in and signing out fails on many customer-developed websites that use some versions of Microsoft .NET Framework and .NET Core to process authentication tokens.
- Customer-developed applications that do silent token refreshing in MSAL or ADAL against Azure Active Directory (Azure AD), Microsoft Account, or Active Directory Federation Services (AD FS) fail to sign in.
Google’s Lily Chen posted in a Chromium group on September 12: “We are working on publishing developer guidance on how to work around incompatible clients. That should be ready soon, and I will post a link to it here when that is out.
Microsoft said in a support update: “We understand that Google is planning to provide enterprises the ability to override these changes.
“However, Google has not shared with Microsoft any further details about these overrides or the dates on which the overrides might become available.”
The company said it “strong recommends” that customers avoid using the Beta release in their production environments when they access Microsoft services: “If developers have to use the Beta release for website testing, we recommend that they use a different browser to access Microsoft services.”
The news came as Microsoft confirmed a bug for Office 365 users today that saw many asked to verify their identity when opening shared SharePoint/OneDrive file links.
“We’ve confirmed that the issue is cosmetic and files themselves are not affected,” Microsoft said. “Users may click Cancel on the prompt and continue to view the files without issue.