Tuesday, July 21, 2015

Stable Channel Update

The Chrome team is delighted to announce the promotion of Chrome 44 to the stable channel for Windows, Mac and Linux. Chrome 44.0.2403.89 contains a number of fixes and improvements, including:
  • A number of new apps/extension APIs
  • Lots of under the hood changes for stability and performance
A list of changes is available in the log.  Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 44.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 43 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$3000][446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
[$3000][459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
[$TBD][461858] High CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to  andrewm.bpi.
[$7500][462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte) of Baidu X-Team.
[$TBD][472614] High CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
[$5500][483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
[$5000][486947] High CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
[$1000][487155] High CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
[$TBD][487928] High CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
[$TBD][492052] High CVE-2015-1283: Heap-buffer-overflow in expat. Credit to sidhpurwala.huzaifa.
[$2000][493243] High CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen of OUSPG.
[$7500][504011] High CVE-2015-1286: UXSS in blink. Credit to anonymous.
[$TBD][505374] High CVE-2015-1290: Memory corruption in V8. Credit to Yongjun Liu of NSFOCUS Security Team.
[$1337][419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
[$1000][444573] Medium CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen of OUSPG.
[$500][451456] Medium CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva.
[479743] Medium CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
[$500][482380] Medium CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
[$1337][498982] Medium CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
[$500][479162] Low CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to mike@michaelruddy.com.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [512110] CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives.

Many of the above bugs were detected using AddressSanitizer or MemorySanitizer.

Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Penny MacNeil
Google Chrome

Labels:

59 Comments:

Blogger Alen said...

Good Update!

11:20 AM, July 21, 2015  
Blogger Eric Ahnell said...

Took me two tries, but I was right regarding the timing of Chrome 44. This implies Chrome 45 landing in September (8th / 6 weeks or 15th / 7 weeks), with NPAPI support fully switched off.

Another interesting note: Chrome 44, at least on Windows, has a new circle style in the "About Chrome" page where it checks for updates.

11:51 AM, July 21, 2015  
Blogger MattAndroid said...

"Material design" spinning circle when a page loads :D

1:12 PM, July 21, 2015  
Blogger Flamboyant said...

Disabling chrome://flags/#enable-new-profile-management does no longer work, resulting in an obnoxious box in the upper right corner next to the window controls (PC).

Much preferred the old avatars in the upper left corner for faster identification and switching (pictures > words). Now I want this box gone, completely. Does anyone know how to?

2:28 PM, July 21, 2015  
Blogger Gordon Hawley said...

@Flamboyant

You just need to right click on the Chrome shortcut > "Properties" > "Shortcut" then add --disable-new-avatar-menu to the right of the "Target" attribute. In my case it became "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-new-avatar-menu

3:23 PM, July 21, 2015  
Blogger Duncan McLellan said...

Maybe others can confirm too, but it looks like Chrome 44 no longer obeys Google Update Policy Configuration and defaults to allowing manual updates, and I assume automatic updates too https://crbug.com/512627

5:11 PM, July 21, 2015  
Blogger Matheus Gadelha said...

@Flamboyant

Right click on the box to show all users.

6:29 PM, July 21, 2015  
Blogger Dare said...

Is there a way to get back the old search bar/address bar back? I find the new drop down list visually unappealing where the highlight just floats in the middle like that away from the sides.

8:49 PM, July 21, 2015  
Blogger Terry Joyce said...

I can get my avatars back in OS X by running this from a terminal window:
open -a "Google Chrome.app" --args -disable-new-avatar-menu

... but I don't understand why they keep making it harder for me to hang on to my cat and ninja. These avatars are far quicker visual queues of what account is open in a window than the text box.

9:24 PM, July 21, 2015  
Blogger alkoro said...

I have Enterprise Chrome on small business network with Acrive Directory, where using Domain Policy. Our Domain Policy deny Chrome update (Worksations updates by another path).
Previous version of Chrome (43.0.2357.134) works fine and shows Menu-About "Updates are disabled by administrator". A new version show Error 3: 0x80040154 -- system level... (Updates banned on a proxy)
Is it a bug or a feature?

12:11 AM, July 22, 2015  
Blogger Flamboyant said...

@Gordon Hawley, Terry Joyce
Thank you, that did the trick! Seems the flag is gone from the chrome://flags UI.

@Matheus Gadelha
That work-around doesn't solve the problem of fast identification.

1:46 AM, July 22, 2015  
Blogger TSX Bzness said...

Where is Create shortcuts for apps and websites feature?? :O

On the browser toolbar, click the Chrome menu Chrome menu . Select Tools. Select Create application shortcuts. DISAPPEAR??? :/

4:07 AM, July 22, 2015  
Blogger Gollum said...

Please bring back the option to use old avatar menu without command line arguments!!! Stop taking away features people like to use!

5:32 AM, July 22, 2015  
Blogger Rick Carter said...

Another +1 for honoring the chrome:/flags values: Enable new profile management system: Disabled and/or Enable Google profile name and icon. I have both of those set to get back the old/better/more visual avatars, and the new version disables it.

5:48 AM, July 22, 2015  
Blogger Unknown said...

@TSX Bzness

Looks like they changed it a bit.

Go to "Chrome Menu Icon > More Tools > Add to Taskbar". This will obviously pin the page to your taskbar, but it will also add it to Chrome's apps page (found by right-clicking the bookmarks bar and selecting "Show apps shortcut", or entering "chrome://apps" into the URL bar). You will be given the option to "Open as Window". If you check that option, it will open it in a standalone window without the URL bar at the top; like it did with the old "Create Application Shortcut" feature. From the apps page, find your app icon and right-click it & choose "Create Shortcuts" if you wish, you may unpin the app from your taskbar, but if yo remove it from Chrome's Apps page, it will delete the shortcut as well.

If you'd really prefer to have it the old way, you can create an application shortcut manually by doing the following:

-Right-click on the desktop and go to "New > Shortcut".
-In the section that says: "Type the location of the item", add the location of your Chrome.exe with quotes ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe") and then at the end of that, add a SPACE and then the following without parentheses (--app=YOUR URL HERE)


As an example, this is what it would look like if you wanted to create an application shortcut for this page-


"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --app=http://googlechromereleases.blogspot.com/2015/07/stable-channel-update_21.html

Then name your shortcut and place it where you wish.

6:38 AM, July 22, 2015  
Blogger DavidGB said...

I suppose this is the last version of Chrome with NPAPI, and therefore Silverlight support; so it'll have to be my last use of Chrome too.

In all the browsing I do, only three websites throw up the warning that Silverlight is used so support for that site will be ending in Chrome. The problem is the three sites those are.

1 My bank - one of the four main banks here in the UK.
2 Sky - the biggest subscription entertainment service here in the UK. I can't have a satellite dish on my house, so the only way I can get many of my favourite TV shows is internet streaming from Sky, and they use Silverlight and have stated they will NOT be changing, Chrome users should just change browser.
2 Paypal.

The three most important internet websites for me, all use Silverlight, all have said they are not changing, all will be unusable in Chrome.

So I must pick a new browser and dump Chrome at the next update. Thanks a bunch, Google, for your arrogant practice of presuming everyone else on the web - including large, important companies - will jump to your tune. They're not.

6:57 AM, July 22, 2015  
Blogger Eric Ahnell said...

@DavidGB I have not seen any usage of Silverlight on PayPal, so I'm not sure what problems you are having. I'm curious, though.

7:04 AM, July 22, 2015  
Blogger DERICK DENMAN said...

NPAPI plug-ins stopped working on version 42 and higher , according to Chrome help pages. So if the web sites you mention are working now , they will carry on working .

9:02 AM, July 22, 2015  
Blogger Laurent Malvert said...

@DavidGB: Not sure Google deserves the blame for that and for Silverlight in particular though. Disabling NPAPI, while frustrating for some sites, is a good thing on the long term.
And Silverlight will die, so any public-facing site relying on these tech will be forced to update, hopefully sooner rather than later.

I've had the same problem as you on my Chromebook for some time with Orange TV: their web version uses Silverlight, which obviously doesn't work on a Chromebook. And nowadays, using any funky plugin tech to stream videos is just asking for troubles. We finally have decent web standards to support decent audio and video, so you should be able to have nitfy features using plugins AND base features using the a default implementation. Hopefully your bank, Sky, Orange and others will see the light soon. In the meantime, I for one will keep using Chrome and stop using THEIR services...

9:42 AM, July 22, 2015  
Blogger Michael Gamble said...

Just installed latest Chrome Version 44.0.2403.89 m and now my once accessible websites are tryign to load https:// scripts and stylesheets that are not served on SSL. ANy thoughts my friends?

http://demo.myfoodpress.com is a normal http:// site, but getting https:// errors after update.

Regards,
Michael

10:54 AM, July 22, 2015  
Blogger cmcapellan said...

Can you make a Blogger tag for "Browser" to go with the blog tag "Chrome OS"?

We are trying to keep up only on Stable updates for the Browser (not Chrome OS) and we want to try to scrape the RSS feed.

Or is there a better way we should be doing this? Thanks

12:43 PM, July 22, 2015  
Blogger thelostsonofmrdarcy said...

Seems like new version doesn't work with max-width attribute in procents, only px. I notice this after today update

2:08 PM, July 22, 2015  
Blogger Romário Oliveira said...

@TSX Bzness: Chrome menu > More tools > Add to desktop... not works to you?

3:28 PM, July 22, 2015  
Blogger David Friedman said...

@Flamboyant, Gordon Hawley

--disable-new-avatar-menu worked for me, but it took me a while to figure out that I needed to also close Google Chrome by going to the lower right hand corner as it was running in the background.

4:04 PM, July 22, 2015  
Blogger Marijn Kortstra said...

@Michael Gamble, we're having the exact same problem. Running several WordPress websites that are now redirecting (some scripts) to https. Very strange habit, can't find the cause. Does anyone know where this is comming from and/or what we can do to fix this?

5:21 PM, July 22, 2015  
Blogger Marijn Kortstra said...

@Michael Gamble and others that are experiencing this issue, apperantly this is a beta-bug that hasn't been fixed: https://spunmonkey.design/chrome-beta-44-causing-problems-with-httpsssl/.

5:23 PM, July 22, 2015  
Blogger ramonkarlos said...

This comment has been removed by the author.

5:39 PM, July 22, 2015  
Blogger Jason Mickelson said...

This update completely breaks Chrome.
Adios Chrome.

7:48 PM, July 22, 2015  
Blogger Tai_ said...

Thank you very much, @Gordon Hawley! The --disable-new-avatar-menu worked beautifully. No idea why Google keeps taking away the icon...

9:22 PM, July 22, 2015  
Blogger Chrishe Bolze said...

Currently the HTTP protocol is not transferred correctly. In some cases, I get an 500 Internal Server Error. However, the sites works fine in other browsers.

1:33 AM, July 23, 2015  
Blogger Dennis Fischer said...

I'm having the same problem as Chrishe Bolze, our production site is unaccessible with this version of Chrome because of it.
Is there a workaround for this, or will there be a quick update to fix this problem?

3:00 AM, July 23, 2015  
Blogger Woohee Lee said...

This comment has been removed by the author.

8:03 AM, July 23, 2015  
Blogger Dmitry Abramitov said...

Just installed latest Chrome Version 44.0.2403.89 m and now my once accessible websites are trying to load https:// scripts and stylesheets that are not served on SSL.

I have the same problem
Please fix this

8:18 AM, July 23, 2015  
Blogger Kim Christensen said...

I have same issues with alot of my customers websites, that they have HTTPS error (wordpress / woocommerce), and they think website is hacked, or I have made error, or our server is causing troubles.

It's one of the worst google chrome updates I have ever seen, and don't understand how something like this can happend..

Glad that there is alternatives, and inform my customers to change browser for unknown time..

Fix this issues fast please..

9:00 AM, July 23, 2015  
Blogger Paryeshakaya said...

Same issues with scripts and CSS files, Chrome attempts to load via HTTPS.

Our Wordpress/Woocommerce site stopped working with Chrome 44.x.

Very embarrassing!

Please fix this ASAP.

9:44 AM, July 23, 2015  
Blogger Thomas Hudspith-Tatham said...

Why is the avatar menu being repeatedly blocked by these ugly account names in a grey button?

The avatars are so much better for account switching as it's very easy to not realise which account you're on with simple text that all looks the same!

On OSX it feels like a very looong winded solution to make sure the Dock app always opens with the flag: -disable-new-avatar-menu... Why has this option been removed from about//flags? It makes no sense!

+9, please stop removing valuable features!

1:25 PM, July 23, 2015  
Blogger bb said...

RE: New Avatar Menu - looks like it's a bug:

https://code.google.com/p/chromium/issues/detail?id=499205

I also want my avatars back to my menu, not the ugly buttons with the names. Terrible UX to switch in between profiles (I use 4: 2 work, 1 personal, 1 student)!

1:39 PM, July 23, 2015  
Blogger Roz Kelly said...

Same issue with privacy X https on some sites- particularly those with woocommerce. V annoying- I hate using other browsers. please fix google- most of Ireland use you!

3:13 PM, July 23, 2015  
Blogger Paryeshakaya said...

Solution I found for WordPress + Woocommerce: upgrade to the latest Woocommerce plugin (2.3.12+), and it's back to normal.

4:02 PM, July 23, 2015  
Blogger angry of mayfair said...

I would think the vast majority of users of chrome use it on their own PC. So why force that user profile thing on everyone, with no easy way to remove it. I know my own name, I don't need chrome to display it.

I found --disable-new-avatar-menu so I'm now using that - but this thing should be really easy to disable (i.e. in options not hidden as a command line argument or chrome:flags setting).

6:10 PM, July 23, 2015  
Blogger Jen Hanrahan said...

Same issue with a few of my sites forcing https in scripts and stylesheets.

PLEASE FIX ASAP.

6:46 PM, July 23, 2015  
Blogger thelionking said...

Hello,
Everyone who has issue with WordPress/Woocommerce sites breaks down with mixed content issue please set $_SERVER['HTTPS'] = false; in functions.php of theme.

Thanks
Raja | www.wibits.com

12:25 AM, July 24, 2015  
Blogger Pamungkas Bayu said...

This comment has been removed by the author.

1:13 AM, July 24, 2015  
Blogger Unknown said...

Please bring back profile icons!!!!! new profile manager is shit and full of UX bugs

Old way:
1. click icon
2. click profile

New way - improved way by autistic people:
1. click open windows
2. open swichprofile ( 2 or more clicks )
3. resize window ( I have yes 8 profiles)
4. click to profile

FIX FIX FIX!!! and never go to production with shit you have no idea what it is for.

1:41 AM, July 24, 2015  
Blogger plasmax said...

TO ANYBODY EXPERIENCING ISSUES WITH THE SSL (https) + WORDPRESS ISSUE:

Update your Woocommerce plugin to the latest version, it will fix the problem.

2:38 AM, July 24, 2015  
Blogger TSX Bzness said...

Dear @Unknown; @Romário Oliveira,
Thanks a lot =) I like standalone shortcut :3

2:42 AM, July 24, 2015  
Blogger raphaelbm said...

Print is broken (Save to PDF)
When I print a document (save to pdf) the resultant PDF is nor readable by Adobe Reader X. I get error ...(129)

Any ideas? Print seems to be the poor forgotten orphan child of Chrome. First Print to Paper is broken now Print to pdf is broken.
Any ideas about a fix>

3:26 AM, July 24, 2015  
Blogger Roman Losev said...

New tab sometimes crashes... not always but sometimes..

4:52 AM, July 24, 2015  
Blogger Patrick Ruddiman said...

To anyone having issues with loading page resources in HTTPS:

I've noticed that the CGI environment variable "HTTPS" set to on when using https in other browsers. When using chrome after this update https is now set to 1

You should take this into account to fix resources loading incorrectly when they should be loading with https

8:04 AM, July 24, 2015  
Blogger Patrick Ruddiman said...

See this: https://code.google.com/p/chromium/issues/detail?id=513574

8:07 AM, July 24, 2015  
Anonymous Anonymous said...

Are you aware of the "He's Dead Jim" crashing and Chrome App crashes going on with what looks to be certain Intel Haswell CPUs? Mine is 4690k and many others over at https://groups.google.com/a/googleproductforums.com/d/msgid/chrome/0df94b4e-cb6e-46d3-a2a9-b3f36f452df6%40googleproductforums.com are experiencing this issue.

There are other threads there with the same problem all with Haswell CPUs. All started with this update.

8:39 AM, July 25, 2015  
Blogger Unknown said...

chrome just upgraded to "44.0.2403.107 m". How can I remove my name from the top right corner of the browser. It's annoying; i don't need it.

if this won't be fixed, can we roll back to the previous chrome version ? if not, will remove chrome and use FireFox.. thx.

11:19 AM, July 25, 2015  
Blogger shphoenix said...

Google should be ashamed for taking away functions from the chrome:flags. If users want new profile system they keep it - but if theydo not want it the flag is no longer available. WTF! Google is becoming evil! First the stupid npapi drop support and now this. hey google - listen - I DO NOT WANT THE DAMN USER BOX ON RIGHT SIDE OF MY BROWSER. It uses up previous real estate since I routinely have 20 tabs running
Once Chrome drops npapi, I will switch to Opera or firefox

1:56 PM, July 25, 2015  
Blogger Dexter T. said...

Big boo boo. The new profile management flag kicked in and there's no way it honors the flag. I disabled this earlier this year as I prefer icons/avatars (pictures) than words. I costs me several thousand seconds a day of delay and inefficiency when I have to read this profile name, instead of a sub-nanosecond recognition of the avatar.

8:15 AM, July 26, 2015  
Blogger cyberdaux said...

Bring back the Created Shortcut under Tools

Why did you removed the Create Shortcut?
Please bring it back,., :) Thank you

2:22 AM, July 27, 2015  
Blogger soccerdude said...

Has anybody noticed that the ability to auto-open .jnlp files is gone? I can't seem to get that feature to work. I tested it with .jpeg files and it worked fine, but the option is just grayed out with .jnlp's now. I glanced through the flags and didn't see anything in there to turn on.

3:25 PM, July 27, 2015  
Blogger Kris Craig said...

Yes! Super annoying getting the stupid keep or discard warning every single time I click a jnlp file. Come on, why can't I auto open these anymore?

7:03 AM, July 28, 2015  
Blogger Osinho said...

Yes soccerdude! I noticed it too.... Why the fuck I have to confirm that I want to open a .jnlp file??
I want always to open it automatically.

4:25 AM, July 29, 2015  
Blogger JudaZ said...

Latest version of Chrome keep crashing while opening new tabs
https://productforums.google.com/forum/#!topic/chrome/TO8-9P_AQvc

I do hope they plan to fix this soon,

12:49 AM, August 03, 2015  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home