Google on Tuesday released Chrome 19, patched 20 vulnerabilities in the browser and doled out $16,500 in bug bounties and rewards to independent researchers.
Chrome 19′s most obvious change is the new support for tab synchronisation. Like the already available bookmark, password, app and extension sync, open tabs will now be kept in step on all copies of Chrome, on multiple platforms, including Android, that are linked to the same Google account.
Although Chrome 19 supports the feature, synchronisation will not be enabled for all users immediately, said Raz Mathias, a Chrome software engineer. “The tab sync feature will be rolled out gradually over the coming weeks, Mathias said in a Tuesday blog.
Chrome is not breaking ground here.
Chrome was last upgraded seven weeks ago. Google releases a new “stable” version about every six to eight weeks and has been on a slightly slower schedule recently than rival Mozilla’s strict every-six-weeks tempo.
Chrome 19 also includes patches for 20 security vulnerabilities: Eight were ranked “high,” Google’s second-most-serious threat rating, seven were marked “medium,” and five were labeled “low.”
Seven of the vulnerabilities were described in Google’s brief advisory as “out-of-bounds” read or write flaws, a category of memory bugs where a function does not check that input doesn’t exceed allocated buffers.
Google paid $7,500 in bounties to six researchers for reporting nine vulnerabilities, including two that were not strictly within Chrome. One of the latter was a bug in a Linux Nvidia driver, for example.
The 11 remaining bugs were uncovered by Google’s own security team or were credited to Microsoft, or were not significant enough to rate a bounty.
Google also handed over an additional $9,000 to half-a-dozen researchers, some of whom collected other cash rewards, for reporting bugs that were patched by Google earlier in Chrome 19′s development process.
So far this year, Google has paid more than $230,000 to outside researchers for submitting Chrome vulnerabilities. More than half of that – $120,000 – was laid out in March at “Pwnium,” a Google-sponsored hacking challenge.
Tuesday’s update was the 13th this year that patched one or more vulnerabilities.
According to the latest figures from metric company Net Applications, Chrome has a usage share of about 19%. Irish measurement firm StatCounter, on the other hand, pegged Chrome’s share for April at 31%.
Chrome 19 can be downloaded for Windows, Mac OS X and Linux from Google’s website. The browser is updated automatically through its silent service.
Article source: http://rss.feedsportal.com/c/270/f/470440/s/1f6a18af/l/0Lnews0Btechworld0N0Capplications0C33580A0A60Cgoogle0Ereleases0Echrome0E190Ewith0Epatches0Efor0E20A0Ebugs0Enew0Etab0Esync0C0Dolo0Frss/story01.htm
Google has released Chrome from the penalty box and reinstated the browser’s PageRank after a 60-day self-imposed sentence over a rule-breaking marketing campaign.
At some point during March, Google lifted the penalty it had imposed on Chrome the first week of January, when it demoted the search ranking of the browser’s download page, google.com/chrome. It’s unclear when Google restored the browser’s search rank; SearchEngineLand first reported the punishment’s expiration on March 16.
The decision to reduce Chrome’s PageRank, the rating Google assigns to sites based on how many other sites link to them, came after SEO Book and SearchEngineLand revealed a marketing campaign that paid bloggers to create generic posts that linked to a video touting Chrome to small businesses. Google forbids sponsored links, and the company has aggressively punished violators in the past.
On January 4, Matt Cutts, who heads the Google team responsible for monitoring linking rules, announced that the Chrome download site’s PageRank would be downgraded and kept there for at least 60 days. Google demoted the download page’s search ranking to 0, the lowest possible score in PageRank’s 0-10 range.
On March 24, several PageRank tools put the Chrome download page at 7. Tests confirmed the improved PageRank by running searches using words such as “browser.” That term now pulls a results page with Chrome in the third spot on the first page. During the penalty period, Chrome’s download site was pushed all the way down to the sixth result on the fifth page.
Mozilla’s Firefox remains the top result of a search using “browser.”
Although web metrics company Net Applications blamed the punishment for the largest-ever decline in Chrome’s usage share during January, numbers from Irish measurement firm StatCounter told a different story.
According to StatCounter, Chrome’s share continued to climb during the penalty period, increasing by 1.1 percentage points in January, 1.4 points in February and 1 point so far this month. The gains were very much in line with StatCounter’s tracking of Chrome increases during 2011, which averaged just over 1 percentage point each month.
StatCounter current has Chrome at a 30.8% share, second only to Microsoft’s Internet Explorer. Meanwhile, Net Applications put Chrome’s global share at 18.9%.
Google has patched nine vulnerabilities in Chrome in the sixth security update to Chrome 17, the edition that launched on February 8.
The update was the first since the Chrome security team issued a pair of quick fixes during the “Pwnium” hacking event held earlier this month at the CanSecWest security conference.
Six of the nine bugs patched were rated “high,” the second-most dire ranking in Google’s threat system. One was marked “medium,” and the remaining two were labeled “low.”
Google paid $5,500 in bounties to four researchers for reporting five bugs. The four other vulnerabilities were uncovered by members of Google’s own security team or were too minor to be eligible for a bonus.
Three of the four researchers who reported flaws fixed in Chrome 17 have been recently recognised by Google.
Sergey Glazunov, who received a $2,000 bounty for submitting a bug described by Google as “cross-origin violation with ‘magic iframe’,” was one of two $60,000 prize winners at Pwnium earlier this month.
Glazunov was the first to claim cash at Pwnium, the Chrome-only hacking challenge that Google created after it withdrew from the long-running Pwn2Own contest over objections about the latter’s exploit reporting practices.
Two others, Arthur Gerkis and a researcher known as “miaubiz”, received $1,000 and $2,000, respectively, for bugs that Google patched.
Gerkis and miaubiz were two of the three outside bug hunters who were given special $10,000 bonuses three weeks ago for what Google called “sustained, extraordinary” contributions to its vulnerability reporting programme.
So far this year, Google has paid nearly $200,000 to outside researchers through its bug bounty and Pwnium programs.
Google will not be patching a Chrome bug revealed in “Pwn2Own,” the other hacking contest that ran at CanSecWest.
At Pwn2Own, a team from the French security firm Vupen exploited Chrome by using a one-two punch of a bug in Flash Player – which Google bundles with its browser – and a Chrome “sandbox escape” vulnerability.
Because Pwn2Own sponsor HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty programme does not require researchers to disclose sandbox escape vulnerabilities, Google was not told how the Vupen team hacked Chrome.
The update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users running the browser will receive the new version automatically through its silent, in-the-background update service.
Google has patched four vulnerabilities in Chrome, and disclosed that it had patched a fifth two weeks ago.
The refresh of Chrome 16 was the second security-related update for the browser this month.
One of the five bugs Google said had been quashed was actually a leftover from the 9 January update. According to a blog post by Anthony Laforge, a Chrome program manager, that flaw was actually patched two weeks ago, but “[was] accidentally excluded from the release notes” at the time.
The vulnerability was the most serious of the five, rating a “critical” ranking, Google’s top threat label.
According to the bug-tracking materials for Chromium, the open-source project that feeds code into Chrome, the critical bug caused the browser to crash when users saw Chrome’s anti-malicious site warning and then refreshed the page.
Researcher Chamal de Silva reported the vulnerability in mid-December 2011, and was awarded £2,0000 ($3,133) – Google’s highest bounty – for his work. de Silva’s bug was only the third time Google has paid out the maximum, and the first time since June 2011.
In July 2010, Google boosted its top dollar bounty from £856 – £2,000 ($1,337 to $3,133), making the move less than a week after rival Mozilla increased Firefox bug bounties to £1,922 ($3,000).
Two other researchers who reported three of the remaining vulnerabilities were paid a total of £1,922 in bounties. Those bugs were rated as “high” threats.
Google has paid out more than £5,000 ($8,000) so far this year to independent researchers for filing bug reports. Last year, the search giant spent more than £116,000 ($180,000) on bounties.
Chrome accounted for 19.1 percent of all browsers used last month, a record for Google, according to Web metrics firm Net Application. If its share movement continues on past pace, Chrome will crack the 20 percent mark either this month or next.
Chrome 16, the current stable edition, can be downloaded from Google’s website.
Nine months after first being put into testing, the new version of Chrome will at last included filtering against inadvertently downloading malware executables, Google has announced.
Reported as being on the browser’s long list as long ago as April 2011, the version 17 beta includes the ability to relate known malicious websites detected using the software’s Safe Browsing API, blocking downloads hosted on such domains.
The release notes mention only .exe and .msi files as being covered, but the developers offer hope that this will be extended over the course of 2012.
“Remember, no technical mechanism can ever protect you completely from malicious downloads. You should always be careful about which files you download and consider the reputation of their source,” said Google developer, Dominic Hamon.
In other words, the effectiveness of the technology will always depend on the ability of the central Safe Browsing system to quickly detect which domains are suspect, and that’s never going to be perfect.
The feature will also be able to block downloads from domains identified as being sources of malicious files, which covers legitimate domains that have been hijacked to host malware.
The benefit of the new security layer is to protect against files the user agrees to download without realising the danger in doing so, a common element of many fake anti-virus programs to pick one scenario.
The Chrome 17 beta also shows off the software’s new address bar which will in some cases be able to start loading web pages before the full address has been entered.
If the algorithms determine that the site is likely from the entered text, Chrome will be able to pre-render them, reducing loading times to near instant, Hamon said.
Google paid out a record £16,215 ($26,511) in bug bounties to researchers who reported some of the 18 Chrome vulnerabilities patched today.
The company also upgraded the stable version of the browser to version 15, which sports a revamped New Tab page.
Google last refreshed Chrome on 16 September, just over five weeks ago. Google produces an update to its “stable” channel about every six weeks, a practice that rival Mozilla copied with the debut of Firefox 5 last June.
Eleven of the 18 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s scoring system, while three were tagged “medium” and another four were marked “low.”
Google paid £16,215 in bounties, a record, to four researchers, including £8,528 ($13,674) to Sergey Glazunov and £6,447 ($10,337) to “miaubiz,” a pair of regular Chrome vulnerability finders who together have accounted for 57 percent of all bug payments this year. Google has laid out over £106,018 ($170,000) in bounties so far during 2011.
The previous bounty record, set more than two months ago, was £10,602 ($17,000).
Glazunov and miaubiz collected their five-figure checks for reporting multiple bugs that Google then combined into one CVE (Common Vulnerabilities Exposures) identifier.
Glazunov, for example, was awarded £7,575 ($12,147) for five bugs that Google named only as “cross-origin policy violations” and pooled under a single CVE in its typically terse description.
Miaubiz, meanwhile, was paid £3,952 ($6,337) for one CVE that actually contained six different bugs tracked by Google in its change database.
As is its habit, Google barred access to the bug tracker database for all the vulnerabilities to prevent outsiders from obtaining details on the flaws.
Most of the bugs uncovered by miaubiz, said Google, were discovered using the company’s memory error detection tool, AddressSanitizer, that it released in June.
AddressSanitizer can detect a variety of errors, including “use-after-free” memory management bugs like the ones reported by miaubiz.
Google also said it updated Chrome to stymie BEAST, for “Browser Exploit Against SSL/TLS,” a hacking tool released last month that attacks browsers and decrypts cookies, potentially giving attackers access to encrypted website log-on credentials.
Previously, Google had added anti-BEAST protection to Chrome’s “dev” and “beta” channels, the rougher-edged versions that precede the stable build.
Microsoft has promised to patch Windows so that its Internet Explorer isn’t vulnerable to BEAST’s attacks, but has not set a timetable.
Chrome 15′s most obvious change, however, is the redesigned New Tab page that appears when users click the right-most tab at the top of the browser’s window or press the Ctrl-T key combination.
The new format offers easier navigation between online apps and most-used websites, the ability to organize apps by dragging and dropping, and a simpler way to remove apps or site from the screen.
Chrome 15 can be downloaded for Windows, Mac OS X and Linux from Google’s Web site. Users already running the browser will be updated automatically via the browser’s behind-the-scenes service.
Google updated Chrome over the weekend to help users affected by Microsoft’s errant flagging of the browser as malware.
New versions of Chrome for both the “stable” and “beta” channels were released Saturday, the day after Microsoft’s antivirus products identified Chrome as the Zeus botnet Trojan, and deleted the “chrome.exe” file on some users’ Windows PCs.
Although Microsoft re-released an antivirus definition file within hours of the Friday snafu, scores of Chrome users reported that they were unable to reinstall the browser or that if they had, they had lost their browser bookmarks.
“The team rolled out another update of the Chrome stable and beta builds to ensure that users who may have had their Chrome executable deleted due to the faulty [Microsoft Security Essentials antivirus] updater would receive a new update of Chrome,” the spokeswoman said.
According to the spokeswoman, the Chrome updates made moot the manual uninstall/reinstall process that Google had outlined the day before.
“We rolled out new builds so that assuming [users'] MSE tools were updated and they received the new Chrome exe, their browser would be restored,” she added.
Computerworld replicated Security Essentials’ error by manually deleting chrome.exe, but even after Chrome’s Saturday update had trouble reinstalling the browser in Windows 7. Only after uninstalling the remainder of Chrome, using Windows 7′s “Uninstall or change a program” Control Panel app, was Computerworld able to download the update and restore Google’s browser.
Microsoft has not replied to questions about the impact of its goof on Chrome’s bookmarks, but Google implied that the reports of vanishing bookmarks could be explained by users erroneously checking a box during the manual uninstallation process.
“Bookmarks, etc. should remain unless users checked the box ‘Also delete your browsing data?’ during the manual uninstall/reinstall,” the Google spokeswoman said.
Microsoft said its initial telemetry indicated that approximately 3,000 Chrome users had been affected by the flawed antivirus update. It also apologised for the fiasco.