Tuesday, March 3, 2015

Stable Channel Update

The Chrome team is delighted to announce the promotion of Chrome 41 to the stable channel for Windows, Mac and Linux. Chrome 41.0.2272.76 contains a number of fixes and improvements, including:
  • A number of new apps/extension APIs
  • Lots of under the hood changes for stability and performance
A list of changes is available in the log.


Security Fixes and Rewards


Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.


This update includes 51 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.


[$7500][456516] High CVE-2015-1232: Out-of-bounds write in media. Credit to anonymous.
[$5000][448423] High CVE-2015-1213: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
[$5000][445810] High CVE-2015-1214: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
[$5000][445809] High CVE-2015-1215: Out-of-bounds write in skia filters. Credit to cloudfuzzer.
[$4000][454954] High CVE-2015-1216: Use-after-free in v8 bindings. Credit to anonymous.
[$3000][456192] High CVE-2015-1217: Type confusion in v8 bindings. Credit to anonymous.
[$3000][456059] High CVE-2015-1218: Use-after-free in dom. Credit to cloudfuzzer.
[$3000][446164] High CVE-2015-1219: Integer overflow in webgl. Credit to Chen Zhang (demi6od) of NSFOCUS Security Team.
[$3000][437651] High CVE-2015-1220: Use-after-free in gif decoder. Credit to Aki Helin of OUSPG.
[$2500][455368] High CVE-2015-1221: Use-after-free in web databases. Credit to Collin Payne.
[$2500][448082] High CVE-2015-1222: Use-after-free in service workers. Credit to Collin Payne.
[$2000][454231] High CVE-2015-1223: Use-after-free in dom. Credit to Maksymillian Motyl.
[449610] High CVE-2015-1230: Type confusion in v8. Credit to Skylined working with HP’s Zero Day Initiative.
[$2000][449958] Medium CVE-2015-1224: Out-of-bounds read in vpxdecoder. Credit to Aki Helin of OUSPG.
[$1000][446033] Medium CVE-2015-1225: Out-of-bounds read in pdfium. Credit to cloudfuzzer.
[$1000][456841] Medium CVE-2015-1226: Validation issue in debugger. Credit to Rob Wu.
[$1000][450389] Medium CVE-2015-1227: Uninitialized value in blink. Credit to Christoph Diehl.
[$1000][444707] Medium CVE-2015-1228: Uninitialized value in rendering. Credit to miaubiz.
[$500][431504] Medium CVE-2015-1229: Cookie injection via proxies. Credit to iliwoy.


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The total value of additional rewards and their recipients will be updated here when all reports have gone through the reward panel.


As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [463349] CVE-2015-1231: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.1 branch (currently 4.1.0.21).


Many of the above bugs were detected using AddressSanitizer or MemorySanitizer.


Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.


Penny MacNeil
Google Chrome

Labels:

54 Comments:

Blogger Garpu said...

Think the 64-bit Linux .deb package is corrupt:

lzma: (stdin): File format not recognized
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors

1:57 PM, March 03, 2015  
Blogger Abdalrhman mohamed said...

Very good renovation

2:21 PM, March 03, 2015  
Blogger Penny MacNeil said...

Thank you for your comments!

@Garpu: I've confirmed that there doesn't seem to be anything wrong with the 64-bit Linux packages being served, and there aren't any trends in Linux installation failures.

My recommendation would be to try to install again cleanly, either through a package manager (eg: "sudo apt-get install google-chrome-stable"), or directly from https://www.google.com/chrome/browser/.

I hope it works for you!

6:03 PM, March 03, 2015  
Blogger Matt Webb said...

Has anyone else had issues with NTLMv1 authentication and the latest Chrome version? It seems v41 does not authenticate Google's own domains, but does authenticate other domains.

5:02 AM, March 04, 2015  
Blogger Garpu said...

Figured it out. Works fine on my end! (Slackware)

7:02 AM, March 04, 2015  
Blogger unknownman72 said...

Everything is good, but again YouTube videos in 1080p are a bit laggy for me, and on YouTube the main search gap, when you write some text here, the text strange goes up and it is ugly. That problem is with writing to the upper gap in Chrome, when you are searching web pages, and when it turns blue, it is not symmetrical. But very good update at all. Bye.

7:04 AM, March 04, 2015  
Blogger unknownman72 said...

And searching is a bit slower and more laggy than before.

7:10 AM, March 04, 2015  
Blogger Christian Reichenberger said...

We have also an issue with Chrome v41 and NTLM-Authentication against our Squid-Proxyserver. With V40 everything is good, with v41 Chrome can not authenticate himself / the logged on user against the Squid-Proxy via NTLM.

Anybody else with this problem?

7:24 AM, March 04, 2015  
Blogger Kevin Ramsay said...

garpu - you said you figured it out...do tell.
I'm getting the same error on slackware 14.1 64 stable

7:53 AM, March 04, 2015  
Blogger Chris Johnston said...

Has anyone had an issue with computers on a domain keep asking for the proxy credentials? They all have to be using the proxy. Supposed to be controlled in Explorer.

8:19 AM, March 04, 2015  
Blogger Gregory Rowley said...

@Christian Reichenberger

We also had a similar issue this morning. NTLM authentication was not working when accessing HTTPS sites. We are using McAfee Web Gateway. The issue turned out to be with chunked encoding. Once we enabled the browser to negotiate chunked encoding HTTPS sites started working. Hope this helps.

9:36 AM, March 04, 2015  
Blogger . said...

Unfortunately Massdrop.com is still broken, guys! I can't log in. Firefox is fine, as were the other previous Chrome releases besides the last 2 (and this one, obviously).

This is on a freshly formatted PC containing Windows 8.1 x64.

12:34 PM, March 04, 2015  
Blogger unknownman72 said...

Sorry, my mistake. On YouTube the main search gap, when you write some text here, the text strange goes up and it is ugly. That problem is with writing to the upper gap in Chrome too, when you are searching web pages, and when it turns blue, it is not symmetrical.

1:01 PM, March 04, 2015  
Blogger Tom Francis said...

This comment has been removed by the author.

1:13 PM, March 04, 2015  
Blogger Tom Francis said...

So I was expecting sites with SHA-1 certificates expiring in 2017 or later to start showing the red strike-through https in the address bar, but for some reason I am not seeing this.

Was this change left out or delayed? As far as I can see, the behaviour is the same as in 40.

And now I look silly after all the warnings I have been giving people about this change, lol.

1:24 PM, March 04, 2015  
Blogger Penny MacNeil said...

Hello folks,

We are actively looking into the authentication issues: https://code.google.com/p/chromium/issues/detail?id=463937.

Thank you for your patience and failure details.

2:08 PM, March 04, 2015  
Blogger Misty's said...

Please can someone tell me what does "your connection to example.com is encrypted with OBSOLETE CRYPTOGRAPHY mean"?

Is it bad? because it shows up on sites like Paypal when I view the site's information.

5:33 PM, March 04, 2015  
Blogger Alan Wexford said...

Is CVE-2015-0204 fixed in this release? It's not mentioned in the release notes but according to the researchers at https:/www.smacktls.com/ it's fixed in Chrome 41.

Also, are OS X and Android the only platforms where Chrome is affected by CVE-2015-0204?

8:49 PM, March 04, 2015  
Blogger Angel said...

We have the same problem exactly like Christian Reichenberger.


We have also an issue with Chrome v41 and NTLM-Authentication against our Squid-Proxyserver. With V40 everything is good, with v41 Chrome can not authenticate himself / the logged on user against the Squid-Proxy via NTLM.

thx

12:26 AM, March 05, 2015  
Blogger Сергей Заворотков said...

The same problem.
Chrome v41, Squid, NTLM

We have also an issue with Chrome v41 and NTLM-Authentication against our Squid-Proxyserver. With V40 everything is good, with v41 Chrome can not authenticate himself / the logged on user against the Squid-Proxy via NTLM.

1:28 AM, March 05, 2015  
Blogger Saro Jooren said...

Hi Misty, for "your connection to example.com is encrypted with OBSOLETE CRYPTOGRAPHY", this means the website you were visiting is using obsolete SSL/TLS. For details see: Deprecation of TLS Features/Algorithms in Chrome

7:26 AM, March 05, 2015  
Blogger Misty's said...

@Saro Jooren
Thank you for your help.

8:17 AM, March 05, 2015  
Blogger Chris Bentzel said...

Thanks for all the reports about the authenticating proxy regression in M41.

If you are interested in tracking progress on the bug, you can look at https://code.google.com/p/chromium/issues/detail?id=463937

9:19 AM, March 05, 2015  
Blogger John Miller said...

A question about "affirmatively secure:" how will this actually appear in my browser? I'm currently using Chrome 41 to access one of my SHA-1/2017-expiration sites, and apart from "https:" appearing in gray like a non-HTTPS site, there's no indication that the site is insecure. In other words, how has the behavior changed since Chrome 40? How is/was it supposed to change?

11:12 AM, March 05, 2015  
Blogger Saro Jooren said...

Hi John, for a description and picture of what we thought Chrome 41's "affirmatively insecure" is supposed to look like, see the Chrome 41 section in Gradually sunsetting SHA-1

12:20 PM, March 05, 2015  
Anonymous Anonymous said...

Hi,

Could you bring back all the features of Google Hangout without the need for Adobe Flash?

For instance, screen sharing.

Thank You.

9:36 PM, March 05, 2015  
Blogger Sean Crowley said...

I also have the issue with NTLM, SQUID and Chrome v41.

Has anyone tried a fix at all?

2:25 AM, March 06, 2015  
Blogger DAOWAce said...

The font of Chrome's UI changed to some blurry awful thing. Barely any reports about this, what's going on, why'd it change?

3:20 AM, March 06, 2015  
Blogger John Cosentino said...

Linux HiDPI still does not exist, it appears that the scaling option was removed from //flags, and now Google Keep doesn't adhere to HiDPI at all. I am not happy with this release!

The Google Keep problem really hurts my eyes

4:43 AM, March 06, 2015  
Blogger Erwin Zengerink said...

I have Chrome distributed to 3,500 PCs in an enterprise environment with auto update enabled. Since the update from version 40 to 41 we are having problems where Chrome 41 will crash immediately at start up, on both Windows XP and 7. Process monitor does not reveal anything out of the ordinary. There are no Chrome crash logs created. Has anyone else experienced this?

8:29 AM, March 06, 2015  
Blogger Kevin Haldeman said...

Dito what Erwin Zengerink said. I'm also having problems with Chrome crashing all of the sudden on startup. I have around 650 pc, and I'm starting to get multiple reports of this. We use redirected directories and roaming profiles. If I delete the "Local State" file in the profile directory I can get it to start again, but only once.

10:38 AM, March 06, 2015  
Blogger Miszkurka2000 said...

When page compression in desktop Chrome?

11:13 AM, March 06, 2015  
Blogger Kevin Haldeman said...

My problem appears to have been a GPO issue. Resolved with Issue 464616 solution to remove trailing backslash from user profile path.

12:15 PM, March 06, 2015  
Blogger Zordon said...

Ever since this latest Chrome update, I have been having a ton of issues with youtube videos only playing sound and gifs on twitter not loading.

11:26 PM, March 06, 2015  
Blogger Miroslav Georgiev said...

"...The font of Chrome's UI changed to some blurry awful thing. Barely any reports about this, what's going on, why'd it change?..."

I have the same issue on both my home PC and office, running on Windows 7 64bit..
I just cant get when Chrome will finally resolve the aweful font rendering under Windows...

6:40 AM, March 07, 2015  
Blogger baseballjustin5 said...

I can't remove profiles on Google chrome. I have my account and my grandpas account and I can't remove either account. Is there (a) any way to fix this or (b) is this a bug in update 41.0.2272.76?

1:03 PM, March 07, 2015  
Blogger Miszkurka2000 said...

Sometimes NACL stops and i must refesh the page.
http://folding.stanford.edu/nacl/

Miszkurka2000
Team 276

3:20 AM, March 08, 2015  
Blogger Vanp said...

The new update has some issues with font .. the size of the font has become smaller .. specially on Google Spreadsheets, which I use most of the time .. I am not sure why there is a need to finger in things which are working perfectly ..

11:01 AM, March 08, 2015  
Blogger J Adrian Durbin said...

I have a problem that when going to Facebook the Shockwave Flash plugin crashes and the page becomes unresponsive. I have tried recommended solutions on Google search and nothing is working (only one SW Flash plugin showing). I never had this problem before this latest update. Running Windows 7 Home Edition on a 64 bit machine. Is SW Flash player so built into this update that it does not show up as a plugin?

12:37 PM, March 08, 2015  
Blogger Steven Piper said...

MASSIVE problems with Chrome 41 on Windows 7 64bit. It is practically unusable, It lags and crashes all the time, takes 3-4 seconds to switch tabs, the transparency doesn't work in the title bar, and YouTube videos play like crap. What is going on google? this thing goes through around 3 stages before it is released, and you never catch any of these problems?

2:19 PM, March 08, 2015  
Blogger Unknown said...

Same problem as Kevin Haldeman and Erwin Zengerink.

We use roaming profiles and redirect google chrome folders with GPO. Everything worked in previous versions. With version 41 Chrome does not start. If I delete the users chrome data catalog in %appdata% it will open once, the folders will be recreated but if the user closes Chrome it will not open the next time again.

3:40 AM, March 09, 2015  
Blogger Unknown said...

Found the solution:

“Our environment was working perfectly until Chrome 41, as users upgraded we found they couldn't open their browser at all. After much troubleshooting we found that it was all down to how we had specified out UserDataDir - we previously had '{$roaming_app_data}\Google\Chrome\', which worked fine. Note that we set this using Chrome group policy.

As of Chrome 41, the trailing backslash causes the above issue. Removing the backslash fixes the issue.”

6:35 AM, March 09, 2015  
Blogger lupyno said...

Visual effects in Windows settings (performance options) changes the blurry smoothing UI font in Chrome. Uncheck the option "Smooth edges of screen fonts" BUT then the fonts in Outlook or other apps are awful, even in web pages... so I hope there will be some other correction for this bug.

7:24 AM, March 09, 2015  
Blogger Jonathan Quintin said...

I got the font problem too using Windows 7 64-bit. To temporary fix this issue, you can enable "Disable DirectWrite" in "chrome://flags/".

8:54 AM, March 09, 2015  
Blogger DAOWAce said...

DirectWrite isn't the problem as far as I'm aware.

Something changed in Chrome 41's core that affected text rendering.

Disabling DirectWrite helps a bit, but the font still doesn't look like it used to; it's still off.

I'm just glad I don't use Chrome for anything except video (twitch/youtube 60fps), so I don't really care that much about it to the point where I'd downgrade, otherwise I would go back to v40 as this is unacceptable.

11:57 AM, March 09, 2015  
Blogger Tomáš Ivánek said...

This comment has been removed by the author.

12:42 PM, March 09, 2015  
Blogger Erwin Zengerink said...

Thanks to Kevin Haldeman and unknown. I discovered the same behaviour and have now set the UserDataDir back to default. It does raise the question how Google missed this in UAT...

9:15 AM, March 10, 2015  
Blogger Martin said...

The Chrome UI and webpages no longer respond to mouse events properly (especially mouseovers and dragging) when using Chrome 41 for Linux (Xubuntu 14.10) in VirtualBox for Windows 7. Version 40 worked fine.

A workaround seems to be disabling the mouse integration, but that needs to be done every time I boot up the virtual PC, so it is annoying. No other program seems to be suffering from this issue.

11:41 PM, March 10, 2015  
Blogger Krzysiek Pyrdoł said...

After update to 41 I have all the time error Program stopped working. No way to run the app.

Also sam thing as DAOWAce said:
The font of Chrome's UI changed to some blurry awful thing. Barely any reports about this, what's going on, why'd it change?

Please fix this or tell me how to rollback to 40 version

8:25 AM, March 12, 2015  
Blogger http://www.winhotspot.com/ said...

After updating Chrome to 41.0.2272.89
Click-to-Play under Plug-Ins doesn't work anymore.

9:43 AM, March 12, 2015  
Blogger Antipika said...

To disable the ugly blurry UI font without messing up with the Windows setting (which affects other applications), start chrome with the following cmd line:

--disable-directwrite-for-ui

Add it in your Chrome shortcut, it should you like:

X:\Users\[username]\AppData\Local\Google\Chrome\Application\chrome.exe --disable-directwrite-for-ui

5:52 PM, March 12, 2015  
Blogger Barb said...

@Antipika - Thanks! That worked for me.

5:42 AM, March 13, 2015  
Blogger Lee said...

I work for a company making web games. We use easel canvas and now with v41 we get a strange color being rendered over the top of the canvas. Anyone else had similar issues?

6:56 PM, March 15, 2015  
Blogger Camille Hodoul said...

We have a JS app, with a lot of canvas, DOM access, etc. The app hasn't been updated for 2 months, but we've been receiving reports of tab crashes on chrome for the last week.

Anyone getting something similar ? We're having troubes figuring out what is crashing chrome.

1:02 AM, March 17, 2015  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home