Forgot your password?
typodupeerror
Google Security Software Upgrades Technology

Google Releases Chrome 6, Pays $4337 In Bounties 177

Posted by timothy
from the working-in-the-background dept.
Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.)
Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."
This discussion has been archived. No new comments can be posted.

Google Releases Chrome 6, Pays $4337 In Bounties

Comments Filter:
  • Google's honoring a password security effort in Linux, and at least calling a cyrpto function in Windows... but why no support for the OSX Keyring?
  • $4337 in bounties? (Score:1, Interesting)

    by Anonymous Coward

    $ 4337 in bounties? So thats one real hard bug $ l337 and $ 3000 worth of bugs that the skript-kiddies could have got.

  • Print Preview? (Score:1, Interesting)

    by bunratty (545641)
    Does Chrome 6 have print preview? Can you open files with helper applications without having to delete them manually later? Do Flash videos play the audio correctly?
    • Re:Print Preview? (Score:5, Informative)

      by Anonymous Coward on Thursday September 02, 2010 @11:16PM (#33461402)

      no, no and yes

      • by vlueboy (1799360)

        no, no and yes

        My kingdom, for a mod point!

        The parent AC's words above are currently invisible in some /. threshholds, but his answer to the GP is valuable. Even the weirdo Win32 GUI Apple's browser had now feels right at home on my machine after some GUI de-alienation improvements these past two years.

        Google's ignoring print preview without some visible explanation is another reason I not to like their already-alien interface and odd point of view. It's what kept me on the fence with Opera vs Firefox vs. Chrom[e|ium.] Op

    • by LingNoi (1066278)

      Well it's a free application so why don't you just check it out instead of posting here waiting for a reply.

      • Re: (Score:3, Funny)

        by delinear (991444)
        Maybe his time is important and he's planning on paying out a bounty to anyone who can deliver the information to him.
        • by LingNoi (1066278)

          I was going with the presumption that his time was worthless since he's on Slashdot and commenting.

    • Re:Print Preview? (Score:4, Interesting)

      by Urza9814 (883915) on Friday September 03, 2010 @12:10AM (#33461624)

      Uhh...my Chromium 5 for Linux has print preview and proper flash support. And the same file download behavior as browsers like Firefox - I open a file the browser doesn't handle, it downloads to the folder I've specified for downloads. How is that a problem? As I said, it's the same thing Mozilla does. I don't _want_ a browser to just start deleting my downloads on it's own. If I tell it 'yes, download this file', that file should stay where it is until I decide to delete it.

      • Re: (Score:3, Informative)

        by dakameleon (1126377)

        I think the behaviour being asked for above is the "open with" behaviour common on other browsers, where the file is download to a temporary folder (e.g. $WINUSER$\Local Settings\Temp for Windows) for use by an application selected right from the download dialog. The temp folder can be cleaned up by the browser at a random date in future, or more often than not just sits there until someone decides to clean it out.

        This just means the file is out-of-sight out-of-mind for a one-time-use scenario and the user

    • by Anonymous Coward

      > Do Flash videos play the audio correctly?
      Yes. The video on the other hand, as in all browsers, is a different story. We're still waiting for the fix from Adobe. In the meantime, you can use the following user script:
      ----(start of file)----
      // ==UserScript==
      // @name YouTubeWMP
      // @version 1.0
      // @description Replaces Flash player with WMP in YouTube.
      // @run-at document-start
      // @include http://www.youtube.com/*
      // ==/UserScript==

      flp=document.getElementById("movie_player");
      flp.outerHTML = "<EMBED ty

    • by butlerm (3112)

      I use Chrome all the time, but I always go to another browser to print anything. Internet Explorer's printing support isn't all that great (always cutting stuff off on the right instead of scaling for example), but Chrome's (at least on Windows XP) is positively pathetic. It looks like a kindergartner did the kerning. More or less unreadable. I am looking forward to a fix for that.

  • by icannotthinkofaname (1480543) on Thursday September 02, 2010 @10:49PM (#33461232) Journal

    Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

    I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

    • by vlueboy (1799360)

      No virus that can live in my head can read my passwords out of there, A.F.A.I.K.

      (emphasis mine)
      Now THAT's an open mind!
      *ducks*

    • >I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

      In other news Hacker Geneticists start breeding Meningitus that can talk...

    • by Terrasque (796014)

      A password that only lives in your head is of little use. Sooner or later you'll have to use it somewhere, and a virus can easily read it from the keyboard buffer / form field. Maybe it's even more likely it reads the password from a form than from where it's stored at the disk. While there are A LOT of ways to store passwords on disk, it's pretty limited in the ways you can use them.

    • by barzok (26681)

      It uses Keychain on OS X AFAIK, and there's a 1Password plugin for it so you can use that as well.

  • by bipbop (1144919) on Thursday September 02, 2010 @10:53PM (#33461244)
    I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!
    • by TooMuchToDo (882796) on Thursday September 02, 2010 @11:37PM (#33461510)

      Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

      I kid!

      • Re: (Score:3, Interesting)

        by n0-0p (325773)

        FWIW, they thanked members of the Chrome team a few months ago when they announced sandboxing support in an upcoming version of Acrobat Reader.

      • >Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

        That's because unlike Adobe, Google actually PAYS them to find holes :P

    • by elrous0 (869638) *
      I'll have you know that Zeke and Rufus are very hard workers. They've overcome a lot in life, and here you come along and insult them. Shame on you.
    • by Jesus_666 (702802)
      Someone has to find and squash all those bugs that cause Adobe plugins to occasionally perform adequately.
    • by rvw (755107)

      I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

      Not so crazy when you see the sandbox team members [threedonia.com]!

  • Version bloat (Score:3, Interesting)

    by R.Mo_Robert (737913) on Thursday September 02, 2010 @10:59PM (#33461284)

    Any reasion for the version-number bloat? I mean, I guess it looks a bit cooler next to IE 8, but I don't really think people are that naive.

    • Re: (Score:3, Funny)

      by ksandom (718283)
      In 2015.... Chrome 256 released!
    • Re:Version bloat (Score:4, Informative)

      by rezonat0r (409674) on Thursday September 02, 2010 @11:08PM (#33461354)
      I'm guessing you missed their highly re-reported blog post [chromium.org] regarding the new release schedule.
    • by greenguy (162630)

      You, sir, need to study your P.T. Barnum.

    • Re: (Score:3, Insightful)

      I was amazed they've already flown past an older browser (Safari) in version numbers, and they're inching toward IE territory.

      Seriously Google. This sounds like a .1, or even a .0.1 release. Don't be afraid of little bumps. It didn't sound like any new significant features were introduced.

      • Re: (Score:2, Informative)

        by Tubal-Cain (1289912)
        Firefox is older than Safari (OK, so it was Phoenix at the time...) and is only at 3.x or 4.0 (beta)
      • Seriously Google. This sounds like a .1, or even a .0.1 release.

        Scheduled releases with feature upgrades are major version numbers in the Chrome versioning scheme. This is such a release. Consequently its a major version bump.

        Google scheme seems to me to be less arbitrary that what their competitors use, where a feature release may bump the major version by 1 or the minor version by 1 or more.

    • Is it out of beta already?
    • by dougisfunny (1200171) on Friday September 03, 2010 @01:50AM (#33461966)

      They figure once they get to 6 they can coast for years.

    • Then there's the Linux Kernel. When will they ever go to Kernel 3.0?

    • I have the 64 bit Linux version of chrome on my Ubuntu OS computer for close to two years now. I bet that I have downloaded about 500 million bytes of updates to it since. The program still will not play any youtube videos. The flash plugin states error wrong architecture i386. I keep hoping the next update will solve that problem.
    • Any reasion for the version-number bloat?

      Chrome's versioning scheme seems to have always been that major version numbers are general feature releases, and almost everything else is bug-fix (third-number releases). Their versioning is pretty rational, the only thing is that the second number seems pretty superfluous, since they don't ever seem to have any releases that qualify for whatever standard they have for that (I can't remember every seeing a Chrome version that wasn't x.0.y.z [z being the build numb

    • by gozu (541069)

      The same reason Microsoft used the name xbox 360 instead of xbox 2. Because they'd rather not overestimate their consumer's intelligence.

      Frankly, I can't say I blame them. All people are ignorant and stupid about most things, myself included.

  • What's the point of the encrypting in Windows if you can easily go to Tools -> Personal Stuff -> Show Saved Passwords, and clicking Show Password? Chrome doesn't appear to have any password-required feature to get INTO those settings and/or launch the browser. Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site. It boggles the mind even more when you consi
    • by gazbo (517111)
      So that when someone steals your laptop they don't get access to your passwords/CC numbers? The only security that Firefox's master password provides that Chrome doesn't is if you happen to leave your computer logged in, unlocked and unattended but just happen not to have entered your master password into Firefox yet.
      • To see the passwords you need to enter the master password again, else the passwords can be used, but not revealed, so as soon as firefox is closed/crashes the passwords will be useless..

    • Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site.

      Not by default it doesn't - "Use a master password" is unchecked by default, meaning very few people are actually protected by it.

    • by blueg3 (192743)

      The password-required feature is logging in to your user account. Chrome uses the Windows encryption facility that piggybacks off of Windows user logins.

  • Aeet? (Score:5, Funny)

    by Anonymous Coward on Thursday September 02, 2010 @11:50PM (#33461560)

    First thing I thought when I saw 4337 was "What the fuck is Aeet?"

  • Linux Logins (Score:5, Interesting)

    by idcard_1 (953648) on Friday September 03, 2010 @12:28AM (#33461662)
    FYI your linux logins on Ubuntu are stored in this file: /home/username/.config/google-chrome/Default/Login\ Data just do "strings Login\ Data" and you have those passwords. :(
    • by Anonymous Coward

      You're on Linux, the most trusted, secured and freshest OS in the universe !!

      Why do you care if Google leaves your creds in the clear? If someone can read them, you are already OWNED !!

      Yours,
      Shirley, the one and only Summer's Eve girl

    • Re: (Score:2, Informative)

      by Zixaphir (845917)
      wtf is /home/username? In my days, we communicated home as "~/". You can read it as tilde slash or even tilde slash dot, but it doesn't matter. ~ sweet ~.
    • by LingNoi (1066278)

      On ubuntu at least this should be in seahorse or something. Not in an unencrypted sqlite db. Very poor.

  • As a Linux application developer who has used keyring/kwallet for saving secure passwords in the past. I'd recommend not to use them.

    Various different distributions have different versions of the these utilities and their libraries. There are so many variations that it becomes hard to support all versions. Most desktop linux end users have never used them and when they see a warning window popping up (which these utilities tend to show). They cancel the window rather than going through the authentication pr

    • by Abcd1234 (188840)

      Implement your own secure storage strategy

      Yeah, that's always a good plan: reinventing the wheel and implementing your own encrypted storage solution. I'm sure your average Linux developer is qualified to do that. What could possibly go wrong?

  • by VincenzoRomano (881055) on Friday September 03, 2010 @02:47AM (#33462180) Homepage Journal
    At least the Linux version for x86_64.
    Try it [acidtests.org]
  • It's a pretty big showstopper for me, since it makes using it at work extremely difficult to do. I do wish it had its own proxy engine like Firefox does.
  • Try using http://lastpass.com/ [lastpass.com] for Chrome passwords - it encrypts the passwords on disk (of course), has a lot more features, and is a cross-browser plugin for Firefox, IE, Safari as well as Chrome, on Windows/Mac/Linux etc. It also has paid-for versions for iPhone, Android, etc, and syncs the passwords to the cloud.

That does not compute.

Working...