Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support

An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.

Shooter

[hooiberg]

Somehow I will always remember Chromium as the arcade type shooter with the same name.

all that?

[turkeydance]

and for free?

Re:

[RicktheBrick]

What the hell? I recently did a google search for chrome to install it. The very first entry on the list was a download that first installed a so called optimizer malware protector program. If one executes the program it will tell one that they have thousands of problems. Just send them some money and they will fix them for you. How am I suppose to know that the program did not install the problems and than ask money to fix them? It is the same as having people come to your door and tell you that your

Re: all that?

[Selivanow]

One cannot expect Google to save one from oneself.

Re:

[Zero__Kelvin]

How is google going to stop you from posting lies on Slashdot?

Re:

[stoploss]

How is google going to stop you from posting lies on Slashdot?

Haven't you heard the whispers about the Google kick squad, armed with Reason(tm) hypervelocity rail guns?

That's how.

Sweet

[Anonymous Coward]

I hope the Firefox team once copies one sane feature from Chrome to their browser: the 64bit windows build.

Re:

[Anonymous Coward]

Is there a stable build?

Re:

[Anonymous Coward]

I'm sure the Brony community can provide an equine themed build to your liking.

Re:

[OhSoLaMeow]

+1 funny if I had points.

Re:

[Himmy32]

Pale Moon is a 64 bit build of the LTS version of Firefox. Highly recommend it.

Re:

[Anonymous Coward]

I hope the Firefox team once copies one sane feature from Chrome to their browser: the 64bit windows build.

Don't hope, vote. [mozilla.org]

Why not a master password for the PW manager?

[mlts]

I wish for a feature that is in Firefox... and that is the ability to set a master password and encrypt all password manager contents. That way, stored passwords and certificates are independently protected.

Re: Why not a master password for the PW manager?

[Anonymous Coward]

I think it would be nice if Chrome stored all your passwords and especially your certs (like SMIME and PGP keys) on one of Google's servers. That way you'd have them any time and anywhere you want. Google could provide encryption and provide a key escrow service to that encryption so that, if you lose your master password, Google can recover your passwords for you. With Google's safety features, nothing could possibly go wrong.

Re:

[Noah Haders]

lol snark right?

Re:Why not a master password for the PW manager?

[The MAZZTer]

Chrome already encrypts your data (on Windows at least) using your Windows login credentials using the Crypto API. If the user is not logged in, the passwords are impossible to read. If the user is logged in, all it takes is an API call run by that user to decrypt them, no reauthentication necessary (and this is why you lock your PC when you walk away). I think it is a very usable solution to the "but I save passwords to avoid remembering passwords, I don't want a master password" problem, but still keeping things secure.

I think cookies are encrypted now, too.

Re:

[gstoddart]

So, are you saying that the data is "encrypted" in such a way as to be readable by anything which is running as your user?

Because, basically that would mean that it's not really encrypted in any meaningful way, because you inherently trust every single process to access your passwords.

Quite frankly, that sounds pretty dumb, because it means you explicitly make this available to every single process. So, Adobe could read your passwords if you read a PDF?

That's pretty weak if I understand what you said. And

Re:

[Mortimer82]

Once you have any kind of malware on your computer, you have to assume anything you do within the context of that user account is compromised. Any malware which can read your password database could also just as easily be watching your activity and record the password the next time you enter a global password into a password manager.

As a user who is already used to quickly pressing Win+L to lock their computer each time they leave their desk, leveraging the Windows APIs is exceptionally convenient, espec

Re:

[Bengie]

Windows does not only save encrypted data for a user that can be decrypted by any application, but also on a per user+application basis. This way no other application can decrypt the data. I would assume Chrome uses this part of the API. Of course this assumes no flaws in design and implementation.

Re:

[mlts]

Windows has the ability to stash login credentials securely, but on Linux, this functionality isn't present, so having the browser "pack its own parachute" with its own encryption would be nice.

Re:

[Rob Y.]

Chromium under KDE on linux nags you to set up a kwallet for passwords - I assume Gnome has a similar facility. So I guess it takes the same approach as on Windows - i.e., use the password storage facility provided by the OS. Not a bad approach. Kwallet makes you provide a password to access it the first time (presumably each app that accesses your wallet will ask for this the first time you grant it access. That's not the same as giving your passwords to anything you run as the GP suggested (thought ma

Re:

[vux984]

, all it takes is an API call run by that user to decrypt them, no reauthentication necessary (and this is why you lock your PC when you walk away).

I'm far more concerned about malware than coworkers. Does locking my PC stop malware from harvesting the passwords? Does malware only run when you walk away and if you lock your PC that prevents it from running? If only, right? :)

The problem with saving passwords in a the user profile is that ANY non-privileged process running under my account can access them.

Re:

[Mortimer82]

If you are infected with malware, that malware could just as easily watch the password you type into a password manager, if anything, for Windows users, using the supported, well tested and proven Microsoft APIs is likely to be much better than Google trying to reinvent a wheel, which at best would still not be quite as convenient for users.

Re:

[vux984]

that malware could just as easily watch the password you type into a password manager

That is actually far from "just as easily".

1) Hooking into the keyboard is much easier to detect from an antivirus-suspicious activity point of view.

2) It also requires that the malware be running WHILE I load unlock my password manager and enter the master password.

I personally run password safe, with multiple safes, with different category passwords because I distrust the native browser password storage.

Sure the low valu

Re:

[Mortimer82]

You just happen to be super vigilant with your security and if Chrome had implemented a Firefox style password protected password manager it most certainly would not have met your needs either. You are very different from the vast majority of users and the most worthwhile measure you take above Firefox and Chrome, is that you compartmentalise your passwords. You however are a part of a very small number of people who go to those lengths and for the vast majority of users who have all their passwords in the

Re:

[vux984]

You just happen to be super vigilant with your security and if Chrome had implemented a Firefox style password protected password manager it most certainly would not have met your needs either.

It could potentially replace the lowest value vault.

the most worthwhile measure you take above Firefox and Chrome, is that you compartmentalise your passwords

Yes, and its a major failing of all systems out there that compartmentalization isn't better supported at the system level. Not only does the OS fail to guide u

Re:

[Fizyx]

<quote><p>Chrome already encrypts your data (on Windows at least) using your Windows login credentials using the Crypto API. If the user is not logged in, the passwords are impossible to read [...]</quote>

Really? Then wouldn't changing your Windows password brick the data store?

Re:

[DMUTPeregrine]

ChromeIPass + KeePass works rather well.

Gradients

[Ark42]

Can it render large CSS gradients without horrible banding yet?

Re:

[Anonymous Coward]

The answer is still no, apparently: https://code.google.com/p/chro... [google.com]

What a world we live in, where IE11 and Firefox have vastly better real-world CSS3 support and Chrome is just a pile of crap.

Re:

[Anonymous Coward]

Looks fine [css-tricks.com] to me.

Re:

[Anonymous Coward]

Try this https://code.google.com/p/chro... [google.com] in Chrome, Firefox, and IE. Notice now the large version of the same gradient looks like crap in only Chrome, but the rest all render it just fine.

Another oddity of this same bug in Chrome is this, which just defines all logic: http://jsfiddle.net/7C7ey/ [jsfiddle.net]
Compare that in Chrome to Firefox and IE. You can't even come up with a reason to explain how bad it looks in Chrome, it just boggles the mind what could possible be causing that.

Re:

[Anonymous Coward]

You can see the bug in "Linear Gradient (with Specified Arbitrary Stops)" on that page, but it is subtle. Compare Chrome to any good browser and notice how the blue starts to form bands on the far edge, instead of blending properly.

Hello, it is 2014

[qbast]

Why even bother with 32 bit builds?

Re:

[qbast]

Then would they care about browser upgrade?

Re:

[reikae]

If you've upgraded in the last ten years you very likely have a 64-bit CPU. Athlon 64 machines probably can be had for free. From a quick search it also seems that Windows license allows you to choose either 32 or 64 bit version. I realise 64-bit computing wouldn't benefit your parents, but it doesn't require you to hop on an upgrade treadmill.

Re:

[Ravaldy]

Yes but your OS needs to be 64 bit and until Windows 7 became dominant, 32 bit was still the biggest seller by far. If I recall until last year 80% of Windows OS installs were 32bit. Until last year many laptops still came with 32 bit Windows 7 which as far as I'm concerned was dumb.

Re:

[antdude]

I still use my very old, updated Windows XP Pro SP3 at home. It does what for me. I don't game and do anything fancy like I used to do.

Re:Hello, it is 2014

[wisnoskij]

Even well into Windows 7, 32-bit continued to a very serious market share of NEW installs. At this point I do not think we are getting very many 32 bit installs at all, but any computer over 3 years probably has about a 60% chance of running a 32-bit OS. XP was the market overlord of a very long time, and continues to have a significant share, and its 64 bit edition was unusable.

Re:

[datapharmer]

Strange, I used windows 64 bit for several years with no problem. That said I built it with components I knew had stable 64-bit drivers. Only problem I had was many browser plugins were 32-bit only but I can't blame Microsoft for that. It was a hell of a lot better than Vista x64 I can tell you that!

Re:

[CastrTroy]

There are devices [lenovo.com] sold that have a 32 bit OS installed. For devices that will never have more than 2 GB of RAM, it makes sense to save a little bit of memory by using the 32 bit version when it is all that is needed. Granted, it won't be long before just about every device has 4GB of RAM, and we will completely lose the 32 bit build.

Re:

[DRJlaw]

For devices that will never have more than 2 GB of RAM, it makes sense to save a little bit of memory by using the 32 bit version when it is all that is needed.

If that is your sole metric, perhaps. But x64 mode provides other features such as additional registers, a larger address space for ASLR, etc. Much of the speed increase Google is touting is due simply to the ability of the compiler to use x64 mode code.

Re:

[CastrTroy]

I guess it depends on where you think the bottle neck would be and where you want to optimize. Is the bottleneck in your CPU, and you want to make sure you can use all the registers, or is the bottleneck in the amount of memory you have, causing your device to swap things out of RAM more often? Running a full desktop OS with full desktop applications on 2GB of ram is already pushing the limits on the minimum amount of RAM that most users could deal with. It may make sense to conserve memory as much as pos

Re:

[DMUTPeregrine]

64-bit isn't just about ram, it's also about the extra registers & instructions.

Re:

[Himmy32]

Because support for 64 bit plugins are still lagging...

Re:

[cant_get_a_good_nick]

Moving to 64 bit means your entire ecosystem needs to move to 64 bit. Is every plug in, including every corporate internal plugin migrated to 32 bit? Even IE still has both builds, for this reason.

Re:

[bill_mcgonigle]

Why even bother with 32 bit builds?

Especially if one of the claims is that the 64-bit renderer is "twice as stable"?

Frankly, that's not a claim that I was expecting to hear. People looking at cashing in on Google security bug bounties should probably be looking at datatypes that are not being properly used and are overflowing and crashing on 32-bit.

Re:

[antdude]

Because some people still use 32-bit OSes on very old machines? :(

Google?

[MagickalMyst]

This is a Google product. Nothing to see here, move along.

Video decoding regression

[kav2k]

> For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance.

Except that with this version, hardware-accelerated decoding broke scaling [google.com], so it now seems to scale as nearest-neighbor. Thankfully, on Windows it's possible to override hardware decoding with chrome://flags, which is a workaround for now.

Re:

[AmiMoJo]

Tragically Flash support still seems to be working. I was hoping that moving to 64 bit would break it.

Re:

[toddestan]

I'm just hoping that there is a way to disable that obnoxious "Install Flash" bar that comes up every time you visit a site with Flash and you don't have Flash installed. It's like Google can't imagine that someone would not want to install Flash (ditto for builds of Chromium running on OSes that don't even have Flash).

This cued my rant.

[stoploss]

God damn browsers and Web 2.0. They have undone the stability gains we have gotten over *decades* simply to have yet another AJAX-y Web 2.0 site with a 4 MB homepage.

What am I talking about? All this push to inject hardware acceleration into the browser comes at a cost: the damn browser is now moving out of the safe userland and more into game territory where they are communicating with the low-level APIs.

Fucking browsers are the only application I use that can hard lock my machine. I only got relief from C

The tabs are slightly sucky

[jones_supa]

An old gripe: the tab implementation could be improved. To begin with, when using the normal horizontal tab strip, Firefox makes it scrollable with arrows when it gets crowded. Chrome just makes the tabs smaller and smaller. And hey, give me vertical tabs, à la Firefox's Tree Style Tab extension. Great way to utilize a wide screen monitor. Chrome did indeed have an experimental side tabs option a couple of years ago, but they removed it, and apparently their extension API hasn't allowed any third party to make a good vertical tabs implementation. Ah well.

Re:

[thegarbz]

I switched to chrome because of this. With lots of tabs open Firefox have no indication of the number of tabs. At that point I'm usually interested in going through sequentially anyway and not go through by specific content, I.e. open up interesting Slashdot articles.

Re:

[Bengie]

Using the newest version of Firefox at work, I have this lovely issue where our intranet website causes Firefox to hesitate for about 10 seconds, during which I can't even change tabs. Not only does Chrome fully load the page about 2x-3x faster, but I can switch tabs while it's rendering.

Re:

[jones_supa]

That's not an UI problem but because Firefox does not run the tabs in separate threads like Chrome does.

64-bit support

[Imagix]

So when are they _finally_ going to have a 64-bit OS X version?

Re:

[kthreadd]

It is 64 bit, check about:buildconfig.

Re:

[Imagix]

Chrome isn't responding to about:buildconfig... and calling file on the executable:
$ file Google\ Chrome
Google Chrome: Mach-O executable i386

Re:

[kthreadd]

Oh, my mistake. Wrong browser. :-)

Pointer focus still broken

[crow]

If you're using Linux with pointer focus, Chrome is severely broken starting with version 35.

https://code.google.com/p/chro... [google.com]

Chromium 37?

[OolimPhon]

I thought this was a story about an isotope...

Re:

[Anonymous Coward]

You're at least 5 releases early, probably 13: https://en.wikipedia.org/wiki/Isotopes_of_chromium

Re:

[cant_get_a_good_nick]

:) sorry, no mod points today.....

Does it self-update to 64-bit?

[taxman_10m]

I've been running 32-bit Chrome on Windows 7 64-bit. Does the Chrome self-update upgrade it to Chrome 64-bit or is it a seperate download somewhere?

Re:Does it self-update to 64-bit?

[jones_supa]

It is a separate download at https://www.google.com/intl/en/chrome/browser/?platform=win64 [google.com].

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jones_supa]

Now I'm running Chrome version 37.0.2062.94 m. Is this the 64 bit version?

The 64-bit version says "64-bit" in parenthesis after the version number.

If you just updated your 32-bit version, it's likely that you will stay in the 32-bit channel.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Stability improvements?

[IamTheRealMike]

I understand why 64 bit can improve performance on x86 platforms because the 64-bit transition also rolled in other improvements like more registers.

I understand why 64 bit can improve the performance of security mitigations by making guessed addresses more likely to result in a controlled crash rather than arbitrary memory scribbling.

I cannot think of any reason why switching to 64 bit builds should halve the crash rate, unless this is just a side effect of 64 bit hardware being newer and less crappy overa

Re:

[Anonymous Coward]

I cannot think of any reason why switching to 64 bit builds should halve the crash rate, unless this is just a side effect of 64 bit hardware being newer and less crappy overall. Can anyone else explain this to me?

I may be a bit cynical about this, but many things that were crashing in 32-bit builds and stable in 64-bit builds gained stability from the expanded per-process memory range. The same buggy code with incompetent memory management would reach a crashing point when it ran out of new memory to violate, but as a 64-bit program it took enough longer to hit the higher barrier that it would appear completely stable.

Re:

[cant_get_a_good_nick]

Though I'm sure there are other reasons (maybe better 64 bit tools?) you self answer a bit. Your Point #2 means Chrome crashes early and obviously, making any pointer bugs quicker to be squashed. This means the bugs get fixed fast, fewer make it to Release builds, and you should crash less.

Another reason may be heap size. Even if you don't fill free memory, you can fragment it. Picture what you can put in one 5 gallon bucket, vs what you can put in 5 x 1 gallon buckets. Much less flexible. So if 32 but chr

Re:

[Bengie]

"Stability" in the context of video rendering can also include not noticing rendering jitter because of increased performance or more "stable" performance.

Just being honest here...

[Anonymous Coward]

but I cannot fathom how people, and techies specifically, trust a browser that has ties to the company that does nothing but track people for the sake of profit. I just cannot wrap my head around why people willingly are not fighting the trading of privacy for something "free". We all know the tradeoff isn't fair. Free this and free that and we are giving our lives away for what really?

I similarly distrust supermarket loyaly cards, which purport to save you money, but track and sell your preferences to third-party vendors who are also in the game for nothing but profit. One of the things that scares me is the buyers included in these companies are insurance companies, both medical and other, who then proceed to find ways to make your policies more expensive in future based on your current lifestyle. This is starting to happen.

My life is private and what I do should not cause an increase in costs for me. The goal, after all, is socialised medicine anyway, so screw for-profit medical companies.

Re:

[ledow]

1) If you're in business, likely you don't care about the privacy of searches anonymised under legal agreements because, well, there's just nothing quite that interesting and if your employees complain, you have to wonder what they are Googling in their spare time that they don't want you to know about.

2) Alternatives. I was an Opera user since before 3.something. It peaked a year or two ago, the developers were moved on, and it's now just junk and uses Chromium backend. IE isn't a sensible alternative e

Netflix support?

[cant_get_a_good_nick]

I remember some Chromium build that had Netflix support, a.k.a streaming DRM support. Did this make the cut?

Re:

[Bengie]

You can use Chrome 38 beta in Linux to watch Netflix natively via HTML5 because of the DRM module. Not sure if it's in 37, but it is alive and working in beta.

Chrome 38 is the big one

[kervin]

Encrypted Media Extensions [wikipedia.org] lands in 38. This is what Netflix's using in their new HTML5 player. So hopefully, finally, Netflix on Linux.

Now if they can just get Java working on Linux again we'd be all set.

Re:

[Anonymous Coward]

Actually Chrome 37 works already. On Ubuntu Trusty I had to update the libnss3 library to Utopic's version (from 3.15.4 to 3.16.3) and then spoof my user agent to pretend I'm running Windows, but once done it works, and works well (far better than running through Windows in a VirtualBox VM, which had a smooth picture but crackly sound).

I've used that in the Chrome 37 beta for a couple of weeks and that was the version promoted to stable. There's more info on OMG! Ubuntu! [omgubuntu.co.uk].

I haven't seen whether this means yo

Re:

[Anonymous Coward]

If you want Netflix on Linux, you can do that with pipelight and an extension that changes your user agent string to Firefox for Windows.

Re:

[account_deleted]

Comment removed based on user account deletion

Does chrome still require a root privs sandbox?

[Viol8]

Yes? Then it can carry on fucking right off, its going nowhere near my machines. I'll take the OS security over the supposed security of a browser subsystem thanks.

Re:

[Viol8]

The OS doesn't need protection if the browser is running with normal user privs. If the OS is windows it might need extra help, I wouldn't know, but linux does not and I have no interest in googles feeble reasons for requiring root privs. A user app that requires root privs is not going on my systems. Period.

Extension APIs?

[harmonica]

Every news report on Chrome 37 sounds the same, including the phrase "supports various new applications and extension APIs". Everyone's just copying from the press release. What are the new extension APIs? JavaScript APIs?

Dev and beta builds

[Cyfun]

Just curious, but how many regular Slashdaughters aren't already using the beta or dev builds? I would imagine this crowd would be on the bleeding edge, especially since they got native Linux Netflix support working in one of the recent builds.

Better looking fonts on windows?

[bad_fx]

Perhaps I just need to get used to them, but the "better looking fonts" on windows don't actually look better to me, they look worse. I'm not really sure what it is, but there definitely seems to be something slightly off about them.

Re:

[jrumney]

Try a Japanese website - new invisible kana support.

Better looking fonts, my arse.