The Google Chrome team is excited to announce the arrival of Chrome 10.0.648.127 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame. Chrome 10 contains some really great improvements including:
- New version of V8 - Crankshaft - which greatly improves javascript performance
- New settings pages that open in a tab, rather than a dialog box
- Improved security with malware reporting and disabling outdated plugins by default
- Sandboxed Adobe Flash on Windows
- Password sync as part of Chrome Sync now enabled by default
- GPU Accelerated Video
- Background WebApps
- webNavigation extension API (experimental but ready for testing)
Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
As can be seen, a few lower-severity issues were rewarded on account of being particularly interesting or clever. And some rewards were issued at the $1500 and $2000 level, reflecting bug reports where the reporter also worked with Chromium developers to provide an accepted patch.
- [42574] [42765] Low Possible to navigate or close the top location in a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
- [Linux only] [49747] Low Work around an X server bug and crash with long messages. Credit to Louis Lang.
- [Linux only] [66962] Low Possible browser crash with parallel print()s. Credit to Aki Helin of OUSPG.
- [$1337] [69187] Medium Cross-origin error message leak. Credit to Daniel Divricean.
- [$500] [69628] High Memory corruption with counter nodes. Credit to Martin Barbella.
- [$1000] [70027] High Stale node in box layout. Credit to Martin Barbella.
- [$500] [70336] Medium Cross-origin error message leak with workers. Credit to Daniel Divricean.
- [$1000] [70442] High Use after free with DOM URL handling. Credit to Sergey Glazunov.
- [Linux only] [70779] Medium Out of bounds read handling unicode ranges. Credit to miaubiz.
- [$1337] [70877] High Same origin policy bypass in v8. Credit to Daniel Divricean.
- [70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal de Silva.
- [$1000] [71763] High Use-after-free in document script lifetime handling. Credit to miaubiz.
- [71788] High Out-of-bounds write in the OGG container. Credit to Google Chrome Security Team (SkyLined); plus subsequent independent discovery by David Weston of Microsoft and MSVR.
- [$1000] [72028] High Stale pointer in table painting. Credit to Martin Barbella.
- [73026] High Use of corrupt out-of-bounds structure in video code. Credit to Tavis Ormandy of the Google Security Team.
- [$1000] [73066] High Crash with the DataView object. Credit to Sergey Glazunov.
- [$1000] [73134] High Bad cast in text rendering. Credit to miaubiz.
- [$2000] [73196] High Stale pointer in WebKit context code. Credit to Sergey Glazunov.
- [73716] Low Leak of heap address in XSLT. Credit to Google Chrome Security Team (Chris Evans).
- [$1500] [73746] High Stale pointer with SVG cursors. Credit to Sergey Glazunov.
- [$1000] [74030] High DOM tree corruption with attribute handling. Credit to Sergey Glazunov.
- [$1000] [74662] High Corruption via re-entrancy of RegExp code. Credit to Christian Holler.
- [$1000] [74675] High Invalid memory access in v8. Credit to Christian Holler.
We would also like to thank Ben Hawkes of the Google Security Team, Sergey Glazunov, Martin Barbella and “temp01irc” for working with us during the development cycle and helping prevent bugs from ever reaching the stable channel.
Last, but not least, we’d like to offer special thanks (plus additional rewards to those listed above) to Christian Holler. This is for working with us on his grammar-based fuzzing project, resulting in a more stable and secure “Crankshaft” engine for v8.
More on what's new at the Official Chrome Blog. You can find full details about the changes that are in Chrome 10 in the SVN revision log. If you find new issues, please let us know by filing a bug. Want to change to another Chrome release channel? Find out how.
Jason Kersey
Google Chrome