Tuesday, April 14, 2015

Stable Channel Update

The Chrome team is overjoyed to announce the promotion of Chrome 42 to the stable channel for Windows, Mac and Linux. Chrome 42.0.2311.90 contains a number of fixes and improvements, including:


A list of changes is available in the log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 45 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$7500][456518] High CVE-2015-1235: Cross-origin-bypass in HTML parser. Credit to anonymous.
[$4000][313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink. Credit to Amitay Dobo.
[$3000][461191] High CVE-2015-1237: Use-after-free in IPC. Credit to Khalil Zhani.
[$2000][445808] High CVE-2015-1238: Out-of-bounds write in Skia. Credit to cloudfuzzer.
[$1000][463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL. Credit to w3bd3vil.
[$1000][418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip Moon and Matt Weston of Sandfield.
[$500][460917] High CVE-2015-1242: Type confusion in V8. Credit to fcole@onshape.com.
[$500][455215] Medium CVE-2015-1244: HSTS bypass in WebSockets. Credit to Mike Ruddy.
[$500][444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit to Khalil Zhani.
[$500][437399] Medium CVE-2015-1246: Out-of-bounds read in Blink. Credit to Atte Kettunen of OUSPG.
[$500][429838] Medium CVE-2015-1247: Scheme issues in OpenSearch. Credit to Jann Horn.
[$500][380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to Vittorio Gambaletta (VittGam).

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The total value of additional rewards and their recipients will updated here when all reports have gone through the reward panel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
[476786] CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives.
Multiple vulnerabilities in V8 fixed at the tip of the 4.2 branch (currently 4.2.77.14).

Many of the above bugs were detected using AddressSanitizer or MemorySanitizer.

Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Alex Mineer
Google Chrome

Labels:

67 Comments:

Blogger Irbidan said...

There is a problem with links of each bug in this post. All links are of 'Code Google': https://code.google.com

10:52 AM, April 14, 2015  
Blogger Megan Ryan said...

Why for google chrome and firefox the plugin for java AND Shockwave player isn't supported? I mean their both updated-but the plugins won't work or check. Plus when I checked chrome:plugins it has 5 plugins even flashplayer.

11:07 AM, April 14, 2015  
Blogger m_gol said...

@Megan because Chrome 42 drops NPAPI support, i.e. all cross-browser plugins except Flash. It's been announced long ago, in 2013.

11:10 AM, April 14, 2015  
Blogger Eric Ahnell said...

Wa-hey! I correctly predicted Chrome 42 arriving in the Stable Channel. 1/41 on update predictions XD

12:04 PM, April 14, 2015  
Anonymous Anonymous said...

@Megan Ryan - There is a way to temporarily re-enable NPAPI support in Chrome. Go to chrome://flags/#enable-npapi and click Enable.

Keep in mind that in September 2015 (Chrome 45) NPAPI support will be permanently removed from Chrome and extensions that require NPAPI plugins will no longer be able to load those plugins. So, this is only a temporary fix.

12:19 PM, April 14, 2015  
Blogger Bendlas said...

Where are the source tar balls? http://commondatastorage.googleapis.com/chromium-browser-official/chromium-42.0.2311.90.tar.xz doesn't work, currently.

3:12 PM, April 14, 2015  
Anonymous Anonymous said...

Even in this release it's still better to turn off hardware acceleration

5:54 PM, April 14, 2015  
Blogger Miszkurka2000 said...

Why?

8:59 PM, April 14, 2015  
Blogger Karen Bear said...

todays date: 4-14-15)
ok, i have windows 7 64bit,home premium. today when my google chrome updated too version 42.0.2311.90 m.

these plugins no longer appear in its plugin list.
wide vine, vlc, java, silverlight, foxit reader plugin, google earth plugin, photo gallery, google update, unity player, google talk.

i did find something today to tell me how to temporally re-enable this, now they all are showing up, i also know that in september 2015, that in the next version of google chrome(in september) i wont be able to re-enable them again ever.

how ever, for the moment, firefox has them all listed and they work.

9:53 PM, April 14, 2015  
Blogger Karen Bear said...

if i accidently double commented the same thing, i'm sorry bout that, my browser had a ooooopsy moment

9:54 PM, April 14, 2015  
Blogger Display name said...

Please fix the Bengali font problem in the tab title, omnibar and the 'find' box. The usual fonts are replaced by rectangular blank boxes. Here is a screenshot: http://imgur.com/w3AmQJr

PS: Why haven't you mentioned the changes in your Bookmarks manager? I absolutely loved it!

10:37 PM, April 14, 2015  
Blogger Display name said...

PS2: Also, please redesign the card in which Chrome shows search suggestions (while typing in the omnibar). Please make it just like it is in Chrome's android version: the card is slightly 'raised'. Also, it would look better, in my opinion, if it takes only some space below JUST the omnibar, NOT the entire toolbar (which contains the back and forward buttons, the refresh button, the omnibar and the menu button.), just like it was in Chrome 27 and prior versions.

10:44 PM, April 14, 2015  
Blogger Display name said...

PS3: The font problem is occurring in Chrome's Windows 7 versions, but not in Windows 8.

There's another problem: extensions crash. I think all extensions crash while installed from the webstore, but not when installed in the developer mode. Extensions crash every time I start the browser or in the middle of browsing.

The message that is shown in the chrome://extensions page under the crashed extension is

"This extension may have been corrupted."

There appears an option to "Repair" the extension just left to the bin (remove) icon. Screenshot: http://imgur.com/WHLkyo7

Again, this is appearing on my Windows 7 computer, but not on Windows 8.

10:54 PM, April 14, 2015  
Blogger manus said...

@Display name, The Windows font problem is an old one: crbug.com/102449 -- feel free to star it.

3:06 AM, April 15, 2015  
Blogger Alex Schedar said...

Most videos on Youtube are not play vs Chrome 42.

4:14 AM, April 15, 2015  
Anonymous Anonymous said...

Because it's faster and less memory intensive that way.

4:21 AM, April 15, 2015  
Blogger Spy1999 said...

I am still using an old core 2 pc, today I found that the google chrome appears only one version of flash player, when I play facebook game, the CPU usage reach 100%, so I follow the above instruction to enable npapi version flash player.

Any idea to solve CPU usage problem when using PPAPI flash player?

Thank you.

8:15 AM, April 15, 2015  
Blogger João Manoel said...

Hello,

I'm having a problem with my chrome in recent days: it does not download the dictionary in Portuguese BR for the spell checker and also does not display some icons of

Have uninstalled (including using Revo), allowed the program in firewall and not solved.

A screenshot of what appears in place of the icons: http://prntscr.com/6u3mg8

10:00 AM, April 15, 2015  
Blogger Jason Mickelson said...

Google, you better come up with a better solution then what you are going to force us Chrome users on your build that is coming out in September. Sites are not going to bow to you when you disable NPAPI permenatley for plug ins.
There is a lot of coding that goes into plug in compatibility and this is going to cause a major stink.

11:33 AM, April 15, 2015  
Blogger Kimba T said...

Great. I used to have probs with facebook-videos. They shuttered and shaked (only FB). I had 2 flash-players in plugins (the normal one and that Pepper one). Always had to deactivate that Pepper-Flash, and videos worked fine. Now the normal Flash-Player is gone, so when i deactivate the Pepper, i can't watch any videos, because there is no other player anymore. And with it activated, they still shutter. So bye-bye FB-Videos. Or bye-bye Chrome...

12:56 PM, April 15, 2015  
Blogger Shyam Bansal said...

This is broken. Gmail.com widget for placing phonecalls is not working. the new Hangouts app, is missing phone numbers in search.

2:33 PM, April 15, 2015  
Blogger Shyam Bansal said...

Hangouts app in Gmail.com is broken and now one cannot use old Gmail.com plugin anymore. Going to Firefox now....
The new Hangouts app in Gmail.com has broken communication (ie broken sounds) in phone calls.

New hangouts widget in Gmail on windows desktopon chrome browser, not showing ALL phone numbers in search: I am using the new Hangouts widget in Gmail, and am trying to call phone on it by pressing the phone icon. I have thousands on contacts. But when I try to search for a name in the phone number entry field, the search is not showing the desired names, even though the contact exists in Gmail contacts. This used to work fine in the old Gmail phone call widget. Kindly fix this. One can try to see this issue, by having 1000s of contacts in Gmail Contacts, and then try to “search” for that number in hangouts widget in Gmail, while trying to make a phone call from Gmail hangouts. Lots of those contacts will not show up.

From https://docs.google.com/document/d/1BGiX28xE51N932q9BrV84nBw5wO68kEMSQf8Iccmt5k/edit

2:37 PM, April 15, 2015  
Blogger ramonkarlos said...

This comment has been removed by the author.

6:05 PM, April 15, 2015  
Blogger Christian Parker said...

@Jack Wilcox Thanks so much for that temporary fix. I was trying all day to figure out why none of the plugins would work for my security cameras different web interfaces or Java's version checker in Chrome but all worked fine in IE, which I haven't used in years. I hope when September comes everything is ready and Chrome compatible.

11:31 PM, April 15, 2015  
Blogger hedgehog ful said...

Has anyone else lost the "Permissions Manager"? (The drop-down when you click on the paper/lock to the left of the address bar). Until today I could make my permissions site-specific. Now it just links to the global settings page. Any way I can restore please?

3:19 AM, April 16, 2015  
Blogger Karl said...

Very bad bookmarks, unusable. I can't copy the same link in more than one directory, i can't see the directory tree on the left side, etc. Horrible. I'm a Google fan but... what are yuu doing

4:46 AM, April 16, 2015  
Blogger Lounis Ha said...

google chrome Version 42.0.2311.90

no unity player WTF why?

4:58 AM, April 16, 2015  
Blogger hedgehog ful said...

Karl, if you are referring to the Stars bookmarks and prefer the old system (me too!) I found out how to fix it.
chrome://flags/#enhanced-bookmarks-experiment
and choose disabled.

5:19 AM, April 16, 2015  
Blogger Антон Подшивалов said...

Only right click enable plugins (adobe flash) if permission to plugins run is set to ask user (in old version i can enable plugin left button click). This didn't work if this options (DefaultPluginsSetting_Policy) enabled via AD GP.

5:29 AM, April 16, 2015  
Blogger Karl said...

Thanks a lot hedgehog!

5:48 AM, April 16, 2015  
Anonymous Anonymous said...

If you play games on Zynga.com do NOT update to the newest version if you want to play the games. This version removes all versions of Flash except PepperFlash and it will not allow you to add another version. I cannot play games with PepperFlash or watch videos either as they are too jittery to view. If you want to update, I suggest you find another browser to play the games in because you will get NOTHING done with Chrome 42.

9:32 AM, April 16, 2015  
Blogger Crabby 'Ol Man said...

I'm all for modern standards, etc, but why in the world are you removing the NPAPI toggle that the general public is never going to find/use?

Even the most dense person in IT must realize how much of the Enterprise market relies on incredibly out of date Oracle/Java technologies, and your arguments about all the evils of said technology fall flat.

It's like telling homeless people they'd stop being homeless if only they bought a house.

Your approach to the Enterprise market with this issue is high on smugness, and completely void on realism.

10:50 AM, April 16, 2015  
Blogger Scott Glajch said...

The enable NPAPI flag doesn't exist when I go to the chrome flags page.

11:20 AM, April 16, 2015  
Blogger . said...

Thanks, guys! MassDrop.com is finally working again, I can log in without any problems. Good job!

11:37 AM, April 16, 2015  
Blogger Eric Ahnell said...

@Scott Glajch Are you using Linux? If so, NPAPI support is long gone - it was removed back in version 34.

11:47 AM, April 16, 2015  
Blogger Nigcra said...

Антон Подшивалов is right. This version drops the group policies and if you have set it to "Click-to-Play", you can't activate any plugin anymore.

12:04 PM, April 16, 2015  
Blogger Smolniy said...

Search in google:
chrome 42.0.2311.90m
First page:
Adobe plug-in missing after upgrade to Version 42.0 ...
Java Plugins disappear after new Chrome update to Version 42.
Chrome 42.0.2311.90 m not support silverlight - MSDN - Microsof
Java Plugins disappear after new Chrome update to Version 42.0
Webplayer not working on Chrome 42.0.2311.90 m | Unity Com
Shockwave Player in Chrome Version 42.0.2311.90 m | Adobe ...
GWT plugin not wortking with Chrome 42.0.2311.90 m

Respect, corporation of good!

12:48 PM, April 16, 2015  
Blogger Simone said...

NPAPI plugin together with "Disable YouTube HTML5 Player" was the only way I had to run Flash videos (basically yutube) smoothly.
Come on, Google...at least give us choice.

5:47 PM, April 16, 2015  
Blogger Birdie Bee said...

I do not like the changes to Google Chrome for my bookmarks. It is harder to access them, the search function doesn't work as well and it takes a nightmare to open one up (clicking is so hard for me as I have limited use of my right hand). Ugg! Not liking this update whatsoever.

7:04 PM, April 16, 2015  
Blogger Ramzani said...

Smolniy try this on chrome "chrome://flags/#enable-npapi"
enable it and klick relaunch now

7:32 PM, April 16, 2015  
Blogger StrangeCraftGaming said...

Well, unless java can get support before the last deadline this house will be dropping Chrome as it's main browser. The family here play Pogo Games (which is a Java based game site) and if Chrome cannot run java then, so long, and thanks for all the fish.

11:40 PM, April 16, 2015  
Blogger Hanspeter Holzer said...

What a mess! If you've been using GPO (group policies) to set click-to-play, this version prevents plugin execution altogether. Why couldn't you just default to the nearest equivalent of the old GPO setting?
Now we have to replace this GPO for every single of our customers.

2:52 AM, April 17, 2015  
Blogger Firoz Khan said...

how to download youtube videos mac-How to Download YouTube Videos Mac: a detailed YouTube Download Mac guide, telling you how to download YouTube videos with an excellent YouTube Video Downloader for Mac

3:00 AM, April 17, 2015  
Blogger Götz Geese said...

After Upgrading, when click to play is active by gpo, flash movies won´t play. When I disaple the setting everything work right.

3:03 AM, April 17, 2015  
Blogger Monique Davis said...

cannot watch videos or play my games so what is the use of this silly "upgrade"?

6:02 AM, April 17, 2015  
Blogger ConsAdvo said...

While I appreciate some Google Products, let this be a lesson: Google does not rule the world, PERIOD. I'm not the only one Fed-up with their unilateral decisions and implementation of changes -- The masses are sick and god-damn tired of their arrogance and blatant bullying in the world of technology. Get over your damn-selves. If I choose to use an NPAPI Plug-In, that's my own damn business -- Get the hell out of our lives. Intrusive Nazi's.

6:05 AM, April 17, 2015  
Blogger Matteo Morreale said...

Same as Антон Подшивалов, right click now necessary to abilitate external plugin such as Flash Player, left click was a better choice.

6:53 AM, April 17, 2015  
Blogger Gary Holcomb said...

After the update, I can no longer see Google Chrome's built in flash which I thought was faster and more stable than Adobe.. How can I get the Chrome's flash back?

6:53 PM, April 17, 2015  
Blogger Unknown said...

don't like a way to use bookmark, make it simple

5:51 AM, April 18, 2015  
Blogger eagleapex said...

I'm glad I'm not the only user that doesn't like the change to enable plugins. A single, simple left-click was sufficient before. Adding another click more than doubles the hassle, for no reason I can tell.

6:53 AM, April 18, 2015  
Blogger Shooting Star said...

Is there a way to prevent Google Chrome from attempting to load all my Tabs on start-up?

It used to be, I would wait a while after opening Chrome, no more than half a minute or so, so that Chrome can cycle through all my Tabs and give an "Internet Connection Error" before turning on my Internet. This stopped it from trying to load all my 90-something Tabs even though I'm not looking at them. Then, I just go to each Tab when I'm ready, and they load as I am ready to look at them, and most importantly, not all at once when I'm not ready.

Now, with this new update, the way it works seems to have changed. Chrome will periodically try to load each unloaded Tab whenever it detects an Internet source, meaning my 90-something Tabs across 2 windows will each try to load, and I'll start hearing a Youtube video from a random Tab start playing and, worst of all, my computer slows to a crawl (plus, my Internet slows down, too, trying to load all those Tabs and the media within).

Is there anyway to go about this? Stop Chrome from loading Tabs on start-up and prevent it from always trying to load/refresh each Tab/page that's not loaded whenever it detects working Internet?

Thanks for any help out there, guys. It'll be greatly appreciated.

9:10 PM, April 18, 2015  
Blogger Dr Frogga said...

BRING BACK JAVA!

12:55 AM, April 20, 2015  
Blogger Amber Nolte said...

I almost cried when I went to open a bookmark yesterday to see that all of my meticulous organization I have spent years on was gone. The hundreds of folders, alphabetized, sorted, and cross referenced for the thousands of links I have saved for my work was all scrapped in favor of poorly categorized "Auto Folders" or a bulk list. And what I'm supposed to just set all that up again for a fancier bookmark menu? No, thank you and thank you so much to User Hedgehog for the fix. As long as I am able to keep the new bookmarks feature turned off I will stay with Google Chrome.

8:45 PM, April 20, 2015  
Blogger djebbi walid said...

java

12:13 PM, April 21, 2015  
Blogger djebbi walid said...

java script

12:15 PM, April 21, 2015  
Blogger David said...

Well it took me 10 years to switch from Internet Explorer. Because I can't upload my checks at the bank and a few other Java things...I guess I will be returning back to Explorer...Hey at least they are not too bull headed to know we need the java.

2:41 PM, April 21, 2015  
Blogger TheMungKey said...

As Götz Geese says above, where click to play is enforced using Group Policy in a Windows domain environment, you cannot click on a plugin to enable it. No amount of fiddling with the plugin settings in Chrome will enable the plugin to run. A lot of websites still use Flash and this is a major hassle in our environment where we have only recently switched to Chrome and now I have to tell people to go back to IE until this is fixed. Chrome version 42.0.2311.90

4:16 AM, April 22, 2015  
Blogger TheMungKey said...

PS, I've tried whitelisting sites in the Group Policy object and that does not work, the only thing that works is disabling 'click to play' in the gpo, which is less secure.

4:23 AM, April 22, 2015  
Blogger Sall said...

So how do I play live streaming videos now ? It says adobe flash is missing :(

How to fix ?

6:46 AM, April 22, 2015  
Blogger Sall said...

Nevermind I found out that flash was disabled so I typed about:plugins and found flash on the list and re-activated it again.

6:54 AM, April 22, 2015  
Blogger steefie said...

+1 for the old "click to play"-option to activate external plugins. The left-click was much more natural than ctrl-click and a dropdowm, where I need to choose, whether i want to hide or run this plugin.

9:02 AM, April 22, 2015  
Blogger Sicambria said...

Google Chrome 42 fails to start:
Check failed: NamespaceUtils::WriteToIdMapFile("/proc/self/gid_map", gid_)

https://code.google.com/p/chromium/issues/detail?id=480017

1:13 AM, April 23, 2015  
Blogger Kelly Calton said...

My code for my photo gallerys arent working on chrome.

6:32 PM, April 23, 2015  
Blogger Sebastiene said...

Honest question: How is anyone supposed to watch videos using Chrome 42?

I can understand you choosing not to support a particular kind of code, but where does that leave the average user when they go to YouTube, Vimeo, etc.?

There are helpful strangers trying to explain what to enable/disable and whatnot, but doing that causes other hang-ups and problems in the browser.

Why release a new version of Chrome that can't play videos for the average user?

8:07 AM, April 24, 2015  
Blogger Eric Ahnell said...

@Sebastienne I don't understand why you say that watching online videos doesn't work for the average user of Chrome 42. If you're referring to the jitter issue with Pepper Flash, I have never seen it before. I'm sure I am not the only one. Furthermore, Flash use on the web is declining, replaced by HTML 5, which Chrome supports very well. Please share your video player problems in more detail; someone will be better able to help you out.

8:53 AM, April 24, 2015  
Blogger Quê Hương said...

Does anyone have problem with espn.go.com after updated to the latest Chrome Version 42.0.2311.90 m. I can get in the espn but can't click any on the espn screen.

10:41 AM, April 25, 2015  
Blogger Michael Heaton said...

I'm noticing I'm having really bad HTML5 performance. Enabling and disabling hardware acceleration does not seem to help whatsoever.

8:39 AM, April 28, 2015  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home