Tuesday, September 15, 2009

Stable Channel Update




3.0.195.21 has graduated from Beta to the Stable channel today.

This release includes themes support, a brand new New Tab page, an updated omnibox, support for audio and video tags, and a higher performing V8 engine.

You can read more about it here.

Anthony Laforge
Google Chrome Program Manager

Security Fixes:

We would like to extend special thanks to Will Dormann of CERT for working with us to improve the security of the new audio and video codecs in this release.

CVE-2009-XXXX  Content-Type: application/rss+xml being rendered as active content

Previously, we rendered RSS and Atom feeds as XML.  Because most other browsers render these documents with dedicated feed previewers, some web sites do not sanitize their feeds for active content, such as
JavaScript.  In these cases, an attacker might be able to inject JavaScript into a target web site.

More info: 
http://code.google.com/p/chromium/issues/detail?id=21238
(This issue will be made public once a majority of users are up to date with the fix.)

Severity: Medium.  Most web sites are not affected because they do not include untrusted content in RSS or Atom feeds.

Credit: Inferno of SecureThoughts.com


Mitigations:

  • A victim would need to visit a page under an attacker's control.
  • The target web site would need to let the attacker inject JavaScript into an RSS or an Atom feed.

CVE-2009-XXXX  Same Origin Policy Bypass via getSVGDocument() method

The getSVGDocument method was lacking an access check, resulting in a cross-origin JavaScript capability leak.  A malicious web site operator could use the leaked capability to inject JavaScript into a target web site hosting an SVG document, bypassing the same-origin policy.

More info: 
http://code.google.com/p/chromium/issues/detail?id=21338
(This issue will be made public once a majority of users are up to date with the fix.)

Severity: High

Credit: Isaac Dawson


Mitigations:

  • A victim would need to visit a page under an attacker's control.
  • The target web site would need to host an SVG document.

Labels:

35 Comments:

Blogger Carsten Knobloch said...

i can't believe it. we say: --enable-extensions did not work (yersterday in beta) - and know u release a stable with the same error....

10:26 AM, September 15, 2009  
Blogger Anthony said...

It's actually not an error, --enable-extensions was disabled since it's not ready for release to stable (the API's are still in flux). The feature is targeted for 4.0, and will be available on both the Dev channel and subsequent 4.0 beta releases.

10:31 AM, September 15, 2009  
Blogger Carsten Knobloch said...

Thanks 4 info and sorry for my rant ;)

11:02 AM, September 15, 2009  
Blogger Simone said...

Themes do not work! I click on "Apply theme", I download the CRX file, but I always have the Classic theme. I remember when I tried the Dev once: the downloaded CRX files remained in my "Downloads" directory, now they "disappear" after downloading. Can you fix that?

11:38 AM, September 15, 2009  
Anonymous Anonymous said...

Any chance the themes will support Aero like the normal one does?

11:48 AM, September 15, 2009  
Anonymous Anonymous said...

Stable channel and the Beta channel, both are on the same version? :s

12:02 PM, September 15, 2009  
Blogger David Knowles said...

Mehdi Yes they are.
I am guesting us Betas will be upgraded to the 4.0 branch in the coming weeks.

1:28 PM, September 15, 2009  
Blogger Meok said...

Chrome's theme engine is the bomb. No other browser comes close to the level of customization. Some may gripe because you can't change the shape of the buttons, but the fact that you can skin the entire browser frame as well as the new tab page is unprecedented.

5:23 PM, September 15, 2009  
Blogger Maite said...

ei, the "downloads page" should be optional. I Don´t like the "downloads page" because it´s very slow to download files.

5:51 PM, September 15, 2009  
Blogger Ondřej said...

I'm on stable channel and this update nearly doubled my Chrome memory usage. That's very bad - it's slowing everything down. Javascript benchmarks are not everything.

4:01 AM, September 16, 2009  
Blogger Wendy said...

Almost everytime I open up chrome I get broken link msg. when I reload they are corrected. This has been going on for a couple weeks now.Can someone help. I love chrome, but this is getting back to IE which I can't remember the last time I used it.
Please help

6:38 AM, September 16, 2009  
Blogger Valeria said...

ooo, the downloads tool is very bad. I download files at 45 kps, when in I.E I download at 220.

Please, solve the problem with the download´s speed

7:34 AM, September 16, 2009  
Blogger The MAZZTer said...

Ondřej: Memory usage is not everything. In fact, it is pretty much nothing.

Especially if you aren't using the correct metrics in about:memory to gauge memory usage.

2:38 PM, September 16, 2009  
Blogger johny said...

Hmm.. Chrome 3 can not be used by corporate people where proxy pac are extensively used..

It does not work at all with a proxy pac File..

Please update Version 4 to beta channel soon..

11:11 PM, September 16, 2009  
Blogger Justin said...

It's odd. I open the browser to my msn.com homepage, and everything works fine. I open up a new tab, and suddenly everything requiring java (slideshow, e-mail module) suddenly stops working. I only started having this problem after the update. Any ideas?

11:42 PM, September 16, 2009  
Anonymous Anonymous said...

The Peacekeeper result showing a very worst score in compare to previous release...what is going wrong? For the first time log-in is showing an error sign of unable to loading...Google need to make something to recover this issues as well as the download manager processing speed...other than that, it is fine...

3:22 AM, September 17, 2009  
Blogger someoneelse said...

Couldn't find a list of known issues,
i assume google people are aware of that disappearing text bug? Still shows up in my Facebook chat, it has been around for too long really..
Would appreciate a response guys.

9:22 AM, September 17, 2009  
Blogger Fabio_Rulez said...

to someoneelse:

http://code.google.com/p/chromium/issues/list

here u can find the list of all known bugs, adding a new one, and see the actual progress of work on every bug. ;) hope that helped you!

12:37 PM, September 17, 2009  
Blogger Luke Maurer said...

Ugh. So you decided to go with the per-window download tray after all in the final version?

I really don't get it. The whole point of Chrome is that the tab is king. Nothing is per-window. (Why not just have one app-wide tray if it's not per-tab?) And now I have a bunch of old downloads cluttering up the download bar, when before I didn't have to do anything to keep it clean.

That, and I can't just look at the tabs to figure out what's done downloading.

*grmbl*

3:26 PM, September 17, 2009  
Blogger SassyTeffie said...

The redesign is awful! I love Chrome, but the changes to the tab page and downloads stuff are so irritating I'm seriously considering returning to Firefox.

7:28 PM, September 17, 2009  
Blogger APURVA said...

could be better if the search results were in bold as in earlier......

8:22 PM, September 17, 2009  
Anonymous Anonymous said...

This new version is crap. All the things I enjoyed about Chrome is gone. Seriously, even if there won't be any updates, what's so bad about leaving the option to stay with the one before this?

11:33 PM, September 17, 2009  
Anonymous Anonymous said...

Fix the damn Flash CPU issue already.

8:45 AM, September 18, 2009  
Blogger Tom said...

npal - I came here to post exactly what you said. THERE IS A HUGE FLASH CPU USAGE PROBLEM WITH CHROME, especially with Google Reader. Google Reader sometimes becomes unusable because the flash plug-in is using 75-90% CPU! However, I also get high cpu spikes on just about any page these days with Google Chrome. The previous stable versions were not this bad. PLEASE FIX THIS GOOGLE.

9:16 AM, September 18, 2009  
Blogger carla said...

Re Ondřej said...

I'm on stable channel and this update nearly doubled my Chrome memory usage. That's very bad - it's slowing everything down. Javascript benchmarks are not everything.



I'm having the same issue.

9:47 AM, September 18, 2009  
Blogger efrancesco said...

I can't believe it, Chrome 3 made it to Stable. I use "Incognito Mode" all the time and the whole download-tray is an absolute nightmare.

Can you please ask your UI designer or engineers how does one know the speed of anything being downloaded in the download tray when you're in "Incognito Mode"? and how does one see more then 5/6 downloads on your download-tray?

The download history tab in "Incognito Mode" was working in previous versions. I just don't see why you would deny users such an important usability function in your latest release.

As a web-developer and a user who refuses to use any other browser, I'm hoping someone is listening.

12:27 PM, September 18, 2009  
Blogger Manu said...

my facebook page doesn´t work!!!! and today all is slooooooow...
are you working on it???
i dont know if my PC has de problem or is Chromme and this "updates"

2:45 PM, September 18, 2009  
Anonymous Anonymous said...

3.0 is fast but the chat window is no longer displaying

8:49 AM, September 19, 2009  
Blogger llogg said...

@Meok: Chrome is not anywhere near as customizable as Opera. It has advantages to Opera, but customization is an area that Opera dominates.

I would like to second the appeal for the old "new tab" page.

9:31 PM, September 19, 2009  
Blogger Spencer said...

Please: accurate current version numbers really need to be on the main Chrome site at http://www.google.com/chrome/

I had to search the web for 10 minutes before I finally found this blog.

We should not have to go to a whole separate blog just to learn what the number current version is.

This is critical information for IT departments, web page QA, client education, and all sorts of reasons. It should be referenced on the download site, not hidden away in some weird corner of the intarwebs.

6:03 PM, September 21, 2009  
Anonymous Anonymous said...

efrancesco is quite right. Trying to handle multiple downloads in Incognito mode is an absolute nightmare with this version.

12:42 AM, September 22, 2009  
Blogger Ethan said...

There is an issue when you choose a form in the drop down menu. Please fix!

4:40 PM, September 22, 2009  
Anonymous Anonymous said...

Hello mate, I want to thank you for this nice blog. Would you mind telling me some secrets for a succesful blog ? Which could attract some visitors than it normally does. Please come visit my site Local Business Directory Of Phoenix U.S.A. when you got time

11:36 PM, September 23, 2009  
Anonymous Anonymous said...

I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me. Thanks for all your help and wishing you all the success in your business. Please come visit my site alzheimer's symptoms when you got time.

6:01 AM, September 26, 2009  
Anonymous Anonymous said...

You got a really useful blog I have been here reading for about an hour. I am a newbee and your success is very much an inspiration for me. Please visit my site digestive disorders when you got time.

6:02 AM, September 26, 2009  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home