Google Releases Chrome 6, Pays $4337 In Bounties

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.)

Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

Where's the love for the Mac passwords?

[LostCluster]

Google's honoring a password security effort in Linux, and at least calling a cyrpto function in Windows... but why no support for the OSX Keyring?

Re:Where's the love for the Mac passwords?

[Netshroud]

Chrome already uses the Keyring... at least it does for me.

$4337 in bounties?

[Anonymous Coward]

$ 4337 in bounties? So thats one real hard bug $ l337 and $ 3000 worth of bugs that the skript-kiddies could have got.

Print Preview?

[bunratty]

Does Chrome 6 have print preview? Can you open files with helper applications without having to delete them manually later? Do Flash videos play the audio correctly?

Re:Print Preview?

[Anonymous Coward]

no, no and yes

Re:

[vlueboy]

no, no and yes

My kingdom, for a mod point!

The parent AC's words above are currently invisible in some /. threshholds, but his answer to the GP is valuable. Even the weirdo Win32 GUI Apple's browser had now feels right at home on my machine after some GUI de-alienation improvements these past two years.

Google's ignoring print preview without some visible explanation is another reason I not to like their already-alien interface and odd point of view. It's what kept me on the fence with Opera vs Firefox vs. Chrom[e|ium.] Op

Re:

[LingNoi]

Well it's a free application so why don't you just check it out instead of posting here waiting for a reply.

Re:

[delinear]

Maybe his time is important and he's planning on paying out a bounty to anyone who can deliver the information to him.

Re:

[LingNoi]

I was going with the presumption that his time was worthless since he's on Slashdot and commenting.

Re:Print Preview?

[Urza9814]

Uhh...my Chromium 5 for Linux has print preview and proper flash support. And the same file download behavior as browsers like Firefox - I open a file the browser doesn't handle, it downloads to the folder I've specified for downloads. How is that a problem? As I said, it's the same thing Mozilla does. I don't _want_ a browser to just start deleting my downloads on it's own. If I tell it 'yes, download this file', that file should stay where it is until I decide to delete it.

Re:

[dakameleon]

I think the behaviour being asked for above is the "open with" behaviour common on other browsers, where the file is download to a temporary folder (e.g. $WINUSER$\Local Settings\Temp for Windows) for use by an application selected right from the download dialog. The temp folder can be cleaned up by the browser at a random date in future, or more often than not just sits there until someone decides to clean it out.

This just means the file is out-of-sight out-of-mind for a one-time-use scenario and the user

Video on the other hand...

[Anonymous Coward]

> Do Flash videos play the audio correctly?
Yes. The video on the other hand, as in all browsers, is a different story. We're still waiting for the fix from Adobe. In the meantime, you can use the following user script:
----(start of file)----
// ==UserScript==
// @name YouTubeWMP
// @version 1.0
// @description Replaces Flash player with WMP in YouTube.
// @run-at document-start
// @include http://www.youtube.com/*
// ==/UserScript==

flp=document.getElementById("movie_player");
flp.outerHTML = "<EMBED ty

Re:

[butlerm]

I use Chrome all the time, but I always go to another browser to print anything. Internet Explorer's printing support isn't all that great (always cutting stuff off on the right instead of scaling for example), but Chrome's (at least on Windows XP) is positively pathetic. It looks like a kindergartner did the kerning. More or less unreadable. I am looking forward to a fix for that.

Yep. My practices are justified.

[icannotthinkofaname]

Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

Re:

[vlueboy]

No virus that can live in my head can read my passwords out of there, A.F.A.I.K.

(emphasis mine)
Now THAT's an open mind!
*ducks*

Re:

[silentcoder]

>I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

In other news Hacker Geneticists start breeding Meningitus that can talk...

Re:

[Terrasque]

A password that only lives in your head is of little use. Sooner or later you'll have to use it somewhere, and a virus can easily read it from the keyboard buffer / form field. Maybe it's even more likely it reads the password from a form than from where it's stored at the disk. While there are A LOT of ways to store passwords on disk, it's pretty limited in the ways you can use them.

Re:

[barzok]

It uses Keychain on OS X AFAIK, and there's a 1Password plugin for it so you can use that as well.

Re:

[selven]

Some kind of encryption as obfuscation, DRM-style, is still better than just plain text. One of the tricks used by people who steal hard drives is to try every possible chain of subsequent bits as a password. It's only at most a few trillion tries (less than brute-forcing an 8-char alphanumeric password, and quite feasible with a botnet or a few days of time), and often as few as a few billion, but it gets passwords right quite often. Encryption would defeat this attack.

Re:

[moonbender]

The decryption password isn't stored anywhere. You have to remember it. But remembering one password beats remembering 10, 20 or 100.

Re:

[moonbender]

Not sure what your point is. The master password function in Firefox is optional. If you don't use it, you don't have to remember a password. If you do use it, you do have to remember a password, since obviously Firefox doesn't store it anywhere.

Re:

[moonbender]

Firefox can optionally use a master password to encrypt the other stored passwords. You have to enter the master password once per session (or, if you prefer, every time you access the store). This doesn't prevent a determined attacker who has root from getting those passwords (he could use a keylogger to get the master password, etc.). But it does mean that sheer physical access is not enough, so if someone copies your Firefox profile, or restores it from an old HD, the passwords still would need to be dec

Re:

[Abcd1234]

If you ask browser to remember passwords, they will be stored somewhere in plain text or in some form that can be decrypted.

It's called a password-protected, encrypted keychain, and it's hardly new technology.

Re:

[delinear]

It was inspired by Pulp Fiction.

Crazy Article

[bipbop]

I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

Re:Crazy Article

[TooMuchToDo]

Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

I kid!

Re:

[n0-0p]

FWIW, they thanked members of the Chrome team a few months ago when they announced sandboxing support in an upcoming version of Acrobat Reader.

Re:

[silentcoder]

>Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

That's because unlike Adobe, Google actually PAYS them to find holes :P

Re:

[elrous0]

I'll have you know that Zeke and Rufus are very hard workers. They've overcome a lot in life, and here you come along and insult them. Shame on you.

Re:

[Jesus_666]

Someone has to find and squash all those bugs that cause Adobe plugins to occasionally perform adequately.

Re:

[rvw]

I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

Not so crazy when you see the sandbox team members [threedonia.com]!

Version bloat

[R.Mo_Robert]

Any reasion for the version-number bloat? I mean, I guess it looks a bit cooler next to IE 8, but I don't really think people are that naive.

Re:

[ksandom]

In 2015.... Chrome 256 released!

Re:

[delinear]

In [ad] 2101... war was beginning!

Re:Version bloat

[rezonat0r]

I'm guessing you missed their highly re-reported blog post [chromium.org] regarding the new release schedule.

Re:

[greenguy]

You, sir, need to study your P.T. Barnum.

Re:

[maccodemonkey]

I was amazed they've already flown past an older browser (Safari) in version numbers, and they're inching toward IE territory.

Seriously Google. This sounds like a .1, or even a .0.1 release. Don't be afraid of little bumps. It didn't sound like any new significant features were introduced.

Re:

[Tubal-Cain]

Firefox is older than Safari (OK, so it was Phoenix at the time...) and is only at 3.x or 4.0 (beta)

Re:

[DragonWriter]

Seriously Google. This sounds like a .1, or even a .0.1 release.

Scheduled releases with feature upgrades are major version numbers in the Chrome versioning scheme. This is such a release. Consequently its a major version bump.

Google scheme seems to me to be less arbitrary that what their competitors use, where a feature release may bump the major version by 1 or the minor version by 1 or more.

MOD PARENT UP

[cyclomedia]

There is no universal ISO IEEE Regulatory standard for software version numbers, it's meaningless to compare them. Personally I mostly ignore them and look at the release or file date.

Re:

[Abstrackt]

There is no universal ISO IEEE Regulatory standard for software version numbers, it's meaningless to compare them. Personally I mostly ignore them and look at the release or file date.

My conversation with an average user:

Them: "What browser are you using?"
Me: "Firefox."
Them: "It looks neat. Is it any good?"
Me: "Yeah, I like it. You can try it if you want."
Them: "This is pretty good. What version are you running?"
Me: "Version 3.6."
Them: "Oh, if they're only on 3.6 I'll just stick with IE8."
Me: *facepalm*

I did give them the "version numbers don't mean much" spiel after that but their eyes had already glazed over when I said a number less than 8. Sometimes I think a standardize

Re:

[TheSeventh]

I don't think we should dumb things down for the lowest common denominator of intelligence out there. TV and Movies already do that way too much of the time.

What does that say about Windows then? They are only on Version 7, although I hear they used to have a 95 and a 2000 . . . So is IE8 more advanced than Windows 7? And is Windows 7 less advanced than Windows 95? After all, 95 is a bigger number.

Re:

[dropadrop]

Is it out of beta already?

Re:Version bloat

[dougisfunny]

They figure once they get to 6 they can coast for years.

Re:

[TaoPhoenix]

Then there's the Linux Kernel. When will they ever go to Kernel 3.0?

Re:

[RicktheBrick]

I have the 64 bit Linux version of chrome on my Ubuntu OS computer for close to two years now. I bet that I have downloaded about 500 million bytes of updates to it since. The program still will not play any youtube videos. The flash plugin states error wrong architecture i386. I keep hoping the next update will solve that problem.

Re:

[DragonWriter]

Any reasion for the version-number bloat?

Chrome's versioning scheme seems to have always been that major version numbers are general feature releases, and almost everything else is bug-fix (third-number releases). Their versioning is pretty rational, the only thing is that the second number seems pretty superfluous, since they don't ever seem to have any releases that qualify for whatever standard they have for that (I can't remember every seeing a Chrome version that wasn't x.0.y.z [z being the build numb

Re:

[__aailob1448]

The same reason Microsoft used the name xbox 360 instead of xbox 2. Because they'd rather not overestimate their consumer's intelligence.

Frankly, I can't say I blame them. All people are ignorant and stupid about most things, myself included.

Re:

[treeves]

But also a bit less informative.
If they do it right, I know that the change from 3.5 to 3.6 is much less significant than the change from 3.6 to 4.0.
I have no idea what happens between Tiger, Snow Leopard, Polecat and Throat-Warbler Mangrove.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gazbo]

So that when someone steals your laptop they don't get access to your passwords/CC numbers? The only security that Firefox's master password provides that Chrome doesn't is if you happen to leave your computer logged in, unlocked and unattended but just happen not to have entered your master password into Firefox yet.

Re:

[mehrotra.akash]

To see the passwords you need to enter the master password again, else the passwords can be used, but not revealed, so as soon as firefox is closed/crashes the passwords will be useless..

Re:

[Richard_at_work]

Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site.

Not by default it doesn't - "Use a master password" is unchecked by default, meaning very few people are actually protected by it.

Re:

[blueg3]

The password-required feature is logging in to your user account. Chrome uses the Windows encryption facility that piggybacks off of Windows user logins.

Aeet?

[Anonymous Coward]

First thing I thought when I saw 4337 was "What the fuck is Aeet?"

Re:

[Anynomous Coward]

Actually, $4337 is 'Saeet', a phonetic transcription of the middle eastern name 'Saïd'.

Re:

[ballpoint]

That's what she said...

It refers to the independent testing community

[daemonenwind]

It's nice to see the broader technical community getting recognition from Google as.... ...bringin' the HEET

Linux Logins

[idcard_1]

FYI your linux logins on Ubuntu are stored in this file: /home/username/.config/google-chrome/Default/Login\ Data just do "strings Login\ Data" and you have those passwords. :(

Feel Save AND Fresh

[Anonymous Coward]

You're on Linux, the most trusted, secured and freshest OS in the universe !!

Why do you care if Google leaves your creds in the clear? If someone can read them, you are already OWNED !!

Yours,
Shirley, the one and only Summer's Eve girl

Re:

[mcgrew]

Shirley you jest!

Re:

[Zixaphir]

wtf is /home/username? In my days, we communicated home as "~/". You can read it as tilde slash or even tilde slash dot, but it doesn't matter. ~ sweet ~.

Re:

[bipbop]

or $HOME, though that is of course not exactly the same thing.

Re:

[LingNoi]

On ubuntu at least this should be in seahorse or something. Not in an unencrypted sqlite db. Very poor.

Re:

[moonbender]

Yes, that is what they are (finally) doing with Chrome 7.

Re:

[Ant P.]

They should've done like mozilla and stored them in Mork format, nobody would be able to read them then

Implement your own secure storage strategy

[nick1000]

As a Linux application developer who has used keyring/kwallet for saving secure passwords in the past. I'd recommend not to use them.

Various different distributions have different versions of the these utilities and their libraries. There are so many variations that it becomes hard to support all versions. Most desktop linux end users have never used them and when they see a warning window popping up (which these utilities tend to show). They cancel the window rather than going through the authentication pr

Re:

[Abcd1234]

Implement your own secure storage strategy

Yeah, that's always a good plan: reinventing the wheel and implementing your own encrypted storage solution. I'm sure your average Linux developer is qualified to do that. What could possibly go wrong?

And it's ACID3 compliant!

[VincenzoRomano]

At least the Linux version for x86_64.
Try it [acidtests.org]

Re:

[Woogiemonger]

If you clicked on the "A" after it's fully rendered, you see some of the timing issues with the tests that may have passed. For this version of Chrome, all I saw was: "Test 69 passed, but took 7 attempts (less than perfect)." From a Slashdotter's perspective, I'm happy to get even one attempt at THAT test!

Re:

[Nimey]

Mine said that test 26 passed, but took 35ms (less than 30fps). Nothing else to report.

Re:

[LingNoi]

Looks fine in Chrome on OSX to me. Animates and everything.

Re:

[VincenzoRomano]

Also under my Kubuntu 10.04 x86_64 is fine. But am not sure on how the correct rendering should look like ...

Re:

[Woogiemonger]

Iron is supposedly a scam according to some web sites: http://chromium.hybridsource.org/the-iron-scam [hybridsource.org]

Does HTTPS over proxy work yet?

[MrCrassic]

It's a pretty big showstopper for me, since it makes using it at work extremely difficult to do. I do wish it had its own proxy engine like Firefox does.

Re:

[z4ce]

You can use the command line switches of chrome (--proxy-server), which is kind of awkward but not too bad. http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/ [chromeplugins.org]

Use LastPass for passwords

[Cato]

Try using http://lastpass.com/ [lastpass.com] for Chrome passwords - it encrypts the passwords on disk (of course), has a lot more features, and is a cross-browser plugin for Firefox, IE, Safari as well as Chrome, on Windows/Mac/Linux etc. It also has paid-for versions for iPhone, Android, etc, and syncs the passwords to the cloud.

Re:

[ak_hepcat]

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Re:

[LostCluster]

What? Google's not big enough? They need to find sponsors in order to make money? Oh, wait a second...

Re:

[Fluffeh]

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Lets get that massive super multi billion dollar every-national company GOOGLE to sponsor the Chrome Bug-Hunt. Wait... what?

Re:Wheel of Bug Chasers!

[bonch]

Give me a break. You turn a bug bounty into a statement on American values. Your gameshow references are completely baseless and random. What a load of crap!

Re:Wheel of Bug Chasers!

[Dhalka226]

Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars

And yet they did. That must really shake your world view.

Believe it or not, when normal people discover a vulnerability and their options are "run a bonet" and "tell the manufacturer," most of them tell the manufacturer. Getting $1000 for it is an added bonus, not the incentive to action.

True, it's not going to create a whole new generation of professional bug bounty hunters living off their bounties, but that was never the intent. If they wanted to hire an army of extra bug hunters they'd put you on the payroll. If you're looking to get rich, do something else. If you're into it for the challenge or to be helpful or you happen to be mucking about with their browser as part of your day job, make a little extra money as Google's way of saying "thank you" for doing the right thing and helping them to make their free product--one you evidently use, if you're finding bugs in it--a better one.

If that's not good enough for you, well, fine. Don't look for bugs. Don't pass Go, don't collect $1,000. Your time is apparently better spent trying to get yourself a spot on Wheel of Fortune.

Re:

[delinear]

Exactly - it's a way of the company saying thanks and that they appreciate the efforts of the bug hunters, which is a refreshing change to the attitudes of most companies who just want to pretend bugs don't exist because fixes cost money. They could probably get plenty more goodwill than those other companies just by sending out a hamper of beer and gaming snacks, or a few free pizzas, so the fact that they're paying out a grand is a very nice thank you. It's a reward for regular people, not an incentive fo

Re:

[Wastl]

The "bounty" is mostly a marketing instrument, and not so much a reward (just a nice gesture). The rationale is: "our software is so good that we can afford to give out bounties for the few bugs that you will find". A message to the majority of users, not to potential bug hunters. :-)

Re:

[kdub432]

This is one of the dumbest arguments I've ever seen on slashdot.

Re:

[Jurily]

This is one of the dumbest arguments I've ever seen on slashdot.

You must be new here.

Re:

[iamhassi]

"Discover flaws in Google's Chrome... and you get paid. But the entire panel of winners gets less than $5,000 for their trouble... Something's not right in the equity here."

Well, you could always find flaws in Firefox, Windows, IE, etc and get paid nothing if you like.

$4,337 > 0

I say good for Google. What do you want from them, $43,370? $433,700? They're already paying more than anyone else.

Re:

[Tubal-Cain]

Mozilla also pays bug bounties.

Re:

[Bill, Shooter of Bul]

We've never paid based on the actual value of services. In a free economy, prices should be set by the supply and demand. Even if the demand for a service is great, the price may stil be incredibly low due to high supply. Like water. Can't quite live with out it. What kind of value does that bring to you? More or less than a huge flat screen tv. Less?? But isn't water more valuable to you??!!!

Explaining the economics of game shows, is a bit too much for me at this hour. Safe to say, they contestants aren't

Re:

[mldi]

What're you expecting here? Google to pay out bigger? I imagine that people would submit these flaws with or without the bounties. Nobody's forcing them to search them out. I'm amazed by the fact they're willing to pay anything at all.

Re:

[Mr. Bad Example]

You might want to do some research before you start casually using the term "bug chasers". Hint: it already has a meaning, and it's almost certainly not what you think it is.

Re:$4,337 from a multi-billion dollar company?

[LingNoi]

Since you're not going to RTFA or even the summary i'll repost it here..

includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.

The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version.The highest bug bounty, $1337, was paid for an integer error in WebSockets found by Keith Campbell. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team.

Re:

[blai]

tl;dr

Re:

[sirsnork]

Not that I don't like Chrome being better, but shouldn't the Adobe team work on their own products *cough* 64 bit flash player *cough* before find other products to fix?

Re:

[dakameleon]

The highest bug bounty, $1337

$1337? Oh come on!

Re:$4,337 from a multi-billion dollar company?

[sco08y]

The highest bug bounty, $1337

$1337? Oh come on!

Well, $5318008 was a bit much.

Re:

[Tim C]

Geek impaired? On slashdot?

Re:

[sco08y]

It's nice that they're paying but if that's $4337/14 = roughly $310 per bug you'll just have to forgive me if I don't quit my day job to focus on debugging Chrome.

That $310 check from Google is worth a lot more than its face value in establishing your credibility as a security researcher.

Re:

[Yvanhoe]

That's not the intent. But if you find a bug, it gives you an incentive to make a complete and clean report.

Re:

[delinear]

So previously they paid nothing for finding and reporting bugs, but nobody complained because that's the industry norm. Suddenly they start paying a token thank you gratuity and you're acting like this makes them villains? How much are MS paying? (I'll give you a clue, it rhymes with "hero" but it doesn't make them heros any more than this move makes Google villains...)