Tuesday, April 20, 2010

Stable Update: Security Fixes

Google Chrome 4.1.249.1059 has been released to the Stable channel on Windows.

This release fixes the following security issues:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
  • [$500] [39443High Type confusion error with forms. Credit: kuzzcc.
  • [39698High HTTP request error leading to possible XSRF. Credit: Meder Kydyraliev, Google Security Team
  • [40136Medium Local file reference through developer tools. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
  • [40137Medium Cross-site scripting in chrome://net-internals. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
  • [40138High Cross-site scripting in chrome://downloads. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
  • [40575Medium Pages might load with privileges of the New Tab page.
  • [$500] [40635High Memory corruption in V8 bindings. Credit: kuzzcc; Google Chrome Security Team (SkyLined); Michal Zalewski, Google Security Team.

If you find issues, please let us know: http://code.google.com/p/chromium/issues/entry

--Mark Larson, Google Chrome Team

31 comments:

Manish said...

Lately lot of security fixes in Chrome :(

MrNerd said...

is there a beta release today?

LZSaver said...

Hmmm...

joesixgig said...

Robert Swiecki for president. Keep up the good work! (and the other developers, please drink more coffee)

Chris said...

@joesixgig: +1, I'm voting for Robert :) @Manish: well we could always leave them unfixed if you prefer :P More seriously, the good news is that many of them are being found by internal audits, and it remains very rare for Chromium to take a "Critical" bug. Also note that the Chromium Security Reward program is going very well and resulting in a slight increase in vulnerability load.

erdemaytekin said...

Where we can find the download link

Dogan said...

Are these fixes included in dev release?

Manish said...

@Chris: I did not mean that :(. I really like the security model of Chrome, just that I was wishing for a release which has more new features (like bug 19, 266)..

Gianni said...

Google Wave does not work with this release, no one else has the same problem?

Mircea C. said...

Same old "Error 3: Update server unavailable" when checking the version. Thx.

erdemaytekin said...

Where we can find the download link???

Rajesh Shenoy said...

Sorry for the slightly off-track question: When is a stable build for Linux expected? Why is it taking so long?

Mike and Mary Jones said...

Google Wave doesn't seem to be working...

Jug said...

Rajesh: The first stable version for Linux and Mac is supposed to be Google Chrome 5, but there's a number of features planned for that release, so Linux users will still have to wait a while longer.

According to the Chromium Development Calendar (at http://www.chromium.org/developers/calendar ), the stable release date is yet to be decided upon.

But that Chromium is apparently going code complete on April 30, is a good sign. :) As a non-Googler guess from me, I'd say it may go stable sometime this summer? Maybe June? *shrug* But the Betas have pretty good quality these days too.

Rajesh Shenoy said...

@Jug: Thank you very much for the very patient explanation! :)
@Mike and Mary Jones: Google Wave is not working for me too.

Li, Quanjia said...

history management is really bad. not easy to del management

nimo said...

This release experience with javascript performance degradation (Sunspider benchmark 40%)

napoleon said...

Chrome does not want to update to version 4.1.249.1059. Currently in version 4.1.249.1045, he said he is up to date?!

nhnl said...

From omahaproxy.appspot.com:
> win,stable,4.1.249.1045,4.1.249.1059
The order should be reversed.
Currently I can't update to 4.1.249.1059 from 249.1045.

thinkNsidedabunNOToutsidedabox said...

crashing on me like a mofokuku! It's like open a Google Chrome instance, surf opening a few tabs, then what: has CRASHED! do u want to restart? Start again, only to crash again--LIKE PRACTICALLY RIGHT AWAY AS I *JUST* REstarted IT--LIKE, WHAT, 15 seconds ago (YES, SECONDS, PEOPLE--NOT EXAGGERATING TOO MUCH, AT ALL)!!! WTF? YES, *THAT* FREQUENT!!!!!!! I think I'm giving up Google Chrome! THIS IS NONSENSE B.S.!! GOOGLE, I think u r rushing (to dominance) so dropping ball on QC!!

using 4.1.249.1059 released 042010 T! And STABLE version too! THIS HAPPENING FOR U GUYS TOO??????????????????

WTF, GOOGLE, U SUX!

Rajesh Shenoy said...

Google Wave is working for me today in this release. I guess it was an error in Wave, that has been fixed now.

@thinkNsidedabunNOToutsidedabox: I have not had any crashes. And I usually have 8-15 tabs open simultaneously.

fromq8 said...

i have crash
i got crash in google chrpme
More than any other browser

WHY ???

rade.ON! said...

oh gosh! thanks about the bookmarks bar shortcut..

now it's on track! ;)
keep up the good work..

Bunniemagyk said...

Downloaded latest version to try to correct issue but Kapersky still finds the vulnerability in Chrome and also something in Java which I have also updated. What else can I do?

Matthias said...

My Windows 7 updated, but my XP laptop stays at 1045 and reports to by uptodate. What might be my problem?

showpanmohsin said...

Its very interesting and very informative and i really like your approach.

Alexey said...

I found this bug after upgrading to this version. On some sites, clicking the middle mouse button leads to the discovery of links, rather than a new tab on this link.

Heinrich said...

I can't get this version.
Chrome says : 4.1.249.1045 is uptodate.

Mike N said...

I concur, my Google Chrome will still not update to the latest Stable version despite it being one week old. I'm running Vista.

Manish said...

@Chris- Its already more than 10 days that 4.1.249.1059 was released, but the bugs are still marked private. Any idea, by when they will be made public? I would assume that by now the latest update must be pushed to majority of users... Is that not the case?

Matthias said...

my Chrome on XP jumped up directly to 1064 without 1059