Tuesday, March 8, 2011

Chrome Stable Release

The Google Chrome team is excited to announce the arrival of Chrome 10.0.648.127 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame.  Chrome 10 contains some really great improvements including:
  • New version of V8 - Crankshaft - which greatly improves javascript performance
  • New settings pages that open in a tab, rather than a dialog box
  • Improved security with malware reporting and disabling outdated plugins by default
  • Sandboxed Adobe Flash on Windows
  • Password sync as part of Chrome Sync now enabled by default
  • GPU Accelerated Video
  • Background WebApps
  • webNavigation extension API (experimental but ready for testing)

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

As can be seen, a few lower-severity issues were rewarded on account of being particularly interesting or clever. And some rewards were issued at the $1500 and $2000 level, reflecting bug reports where the reporter also worked with Chromium developers to provide an accepted patch.
  • [42574] [42765] Low Possible to navigate or close the top location in a sandboxed frame. Credit to sirdarckcat of the Google Security Team.
  • [Linux only] [49747] Low Work around an X server bug and crash with long messages. Credit to Louis Lang.
  • [Linux only] [66962] Low Possible browser crash with parallel print()s. Credit to Aki Helin of OUSPG.
  • [$1337] [69187] Medium Cross-origin error message leak. Credit to Daniel Divricean.
  • [$500] [69628] High Memory corruption with counter nodes. Credit to Martin Barbella.
  • [$1000] [70027] High Stale node in box layout. Credit to Martin Barbella.
  • [$500] [70336] Medium Cross-origin error message leak with workers. Credit to Daniel Divricean.
  • [$1000] [70442] High Use after free with DOM URL handling. Credit to Sergey Glazunov.
  • [Linux only] [70779] Medium Out of bounds read handling unicode ranges. Credit to miaubiz.
  • [$1337] [70877] High Same origin policy bypass in v8. Credit to Daniel Divricean.
  • [70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal de Silva.
  • [$1000] [71763] High Use-after-free in document script lifetime handling. Credit to miaubiz.
  • [71788] High Out-of-bounds write in the OGG container. Credit to Google Chrome Security Team (SkyLined); plus subsequent independent discovery by David Weston of Microsoft and MSVR.
  • [$1000] [72028] High Stale pointer in table painting. Credit to Martin Barbella.
  • [73026] High Use of corrupt out-of-bounds structure in video code. Credit to Tavis Ormandy of the Google Security Team.
  • [$1000] [73066] High Crash with the DataView object. Credit to Sergey Glazunov.
  • [$1000] [73134] High Bad cast in text rendering. Credit to miaubiz.
  • [$2000] [73196] High Stale pointer in WebKit context code. Credit to Sergey Glazunov.
  • [73716] Low Leak of heap address in XSLT. Credit to Google Chrome Security Team (Chris Evans).
  • [$1500] [73746] High Stale pointer with SVG cursors. Credit to Sergey Glazunov.
  • [$1000] [74030] High DOM tree corruption with attribute handling. Credit to Sergey Glazunov.
  • [$1000] [74662] High Corruption via re-entrancy of RegExp code. Credit to Christian Holler.
  • [$1000] [74675] High Invalid memory access in v8. Credit to Christian Holler.
We would also like to thank Ben Hawkes of the Google Security Team, Sergey Glazunov, Martin Barbella and “temp01irc” for working with us during the development cycle and helping prevent bugs from ever reaching the stable channel.

Last, but not least, we’d like to offer special thanks (plus additional rewards to those listed above) to Christian Holler. This is for working with us on his grammar-based fuzzing project, resulting in a more stable and secure “Crankshaft” engine for v8.

More on what's new at the Official Chrome Blog.  You can find full details about the changes that are in Chrome 10 in the SVN revision log. If you find new issues, please let us know by filing a bug. Want to change to another Chrome release channel? Find out how.

Jason Kersey
Google Chrome

50 comments:

Shimon said...

HAHAHA!
One day before pwn2own!
Poor hackers will have a hard time.

Good luck Google Chrome!

simonbrown said...

What happened to click-to-run?

The MAZZTer said...

@simonbrown You'll need to open about:flags and enable it; and then in Options you can select Click to play as the default option for plugins.

Charles said...

just updated ubuntu 10.04.1 to use Chrome 10.0.648.127
no setting for choosing 'sync passwords' is available.

Antonio Ooi said...

The damn bookmark manager still not working in this 10.x!!! T_T

ragnarok said...

I can live with the new tab page, but please make "clear browsing data" separate.

Every time I press CTRL+SHIFT+DEL it opens a new tab.
This is seriously annoying.
I clear my browsing data after each use of chrome, sometimes just to log out of websites.

jasonvaritekfan said...

Now the stable version of Chrome doesn't work on Fancast! I'm running the Chrome beta channel on my desktop and the stable channel on my netbook and now neither version will work on Fancast.com, when before it was only the beta channel that did not work.

Fancast.com on Chrome keeps looping while it tries to get authorization.

Please look at this bug report: http://code.google.com/p/chromium/issues/detail?id=75117 (I did not file it, but I'm seeing the same thing on both my machines,)

Fancast.com on IE9 RC works.

shaitnich said...

>> Password sync as part of Chrome Sync now enabled by default

This is not true at least for Ubuntu 11.04 Alpha3 and --enable-sync-passwords option just crushes browser if you apply sync changes.

Jack (Phred_13) said...

Please remember to label your release posts. This blog is very useful but I only ever check it via
http://googlechromereleases.blogspot.com/search/label/Stable%20updates (and the Beta label)

Lali said...

Flash player bug rundll32.exe :(

jb510 said...

Seems Color Managment is broken on Mac for Beta and Dev Channel, still working in Chrome 8 though.

Of course it could just be me since I did a system migration last night, but again seems broken...

bt said...

Dev channel update imminent?

Noah Vendrick said...

please bring back middle click on the apps on the new tab page.it worked in the last release and now it doesn't.

David Knowles said...

You evil people. You really did not want to loose that 20k.

I got a feeling a lot of hackers are going to spend a all nighter trying to hack. The motto of yours is sounding less and less convincing as the days go :)

MK said...

Huh, that release cycle felt much quicker than Chrome 9's. (Or rather, Chrome 9's felt extra-long, possibly due to the holiday season.) Looking forward to the 11 beta! :)

Graeme said...

@David Knowles: "You evil people. The motto of yours is sounding less and less convincing as the days go."

So Google is evil because they fixed a bunch of security issues in their own product? Yeah, that makes sense. Cause it would have been "good" to leave them for hackers to expose.

Stephen Sanders said...

I like the new Options it looks nice

Okus Narance said...

Still no smooth scrolling. :( Jerky scrolling is hurting my eyes, try Opera to see diference.

Marcelo said...

Pwn2own coming soon!!!

Good luck, Chrome!

In Chrome we Trust!

Good job, security team!

Sergey Glazunov, you are the man!

Michael Altman said...

Not sure if this is related to the release, but I'm working on a site that takes advantage of HTML5 geolocation service. When using Google Chrome to look at the HTML page on my harddrive, it says that "The following site has been blocked..." when clicking on the geolocation icon. However, when going into the preferences, I've cleared my exceptions as well as tried the option to allow all websites to use my location. I've also tried to remove Google Chrome and reinstall, but nothing has worked.

Using Mac OS X 10.6.6 with the latest version of Chrome. Thanks for any help.

anonymous-lion said...

RE: ragnarok said...

I can live with the new tab page, but please make "clear browsing data" separate.

Every time I press CTRL+SHIFT+DEL it opens a new tab.
This is seriously annoying.
I clear my browsing data after each use of chrome, sometimes just to log out of websites.

Please bring back the old "clear browsing data" dialog box. For actual 'preferences' a new tab is okay, but I frequently, manually clear my browsing data and much prefer the popup dialog that is visually distinct from the browser and that closes when I pressed the clear button.

VeeTee said...

fail one:
native touch panning still doesn't work. Why Google bothers with Android for tablets, if every major browser already supports panning, but Google can't make its own browser touch friendly? ('would expect it as kinda priority if one wants to demonstrate it is capable of doing touch base platform)

fail two:
I came across this during Verne doodle day - Google makes doodle that worked fine with accelerometer in Firefox, but it didn't work in Chrome (not on thinkpad) - it's mind bottling why bother developing doddle which shows Chrome as inferior browser (at least to Firefox).

gonder said...

Chrome couldn't update 9 to 10 because of the standart user account. i had to change account standart to administrator to install 10th version. I hope you will fix this problem...

zierka said...

password sync is not default. anyway, great release!

Timo said...

While Ctrl-H opens the history and Ctrl-J opens the downloads, Ctrl-B is still without function. I hope, this will be fixed soon...

Jarrad said...

This release seems to have borked the use of inset borders and border radius. Previously it worked fine, but now the inset border isn't clipped with the radius, it extrudes outwards.

Fausto said...

Hardware accelerated? Here IE9 and Firefox does 60fps on IE Fish Tank test and Chrome does 20fps.

Fabio said...

In Google Chrome 10 I can view Flash 1080p YouTube videos smoothly. When I was using Chrome 9 (same hardware, Google's integrated Adobe Flash 10.2 and Windows) a lot of frames dropped. I would like to know if the Google Chrome Sandboxed Adobe Flash on Windows accomplish Flash velocity too. Thank You.

John C Kendall said...

I'm constantly getting a warning that flash is out of date. This never happened before...

mlb said...

So when might Chrome for Mac/Linux get the flash sandboxing feature?

SLYPHNIER said...

where the default setting reset button ?
i need it sometimes
hope it will return soon

c0rrupt said...

Password sync as part of Chrome Sync now enabled by default.

This pass sync is not working on Linux and its rly bad for me.

said...

japanese input once again broken in this release... i tried change font setting but not working...

last time disabling gcswf32.dll (in about:plugins shockwave flash) fix the issue for temporary... but no work for now

c0rrupt said...

password synchronization not working on Ubuntu 10.10 64bit and its not set by default.

Blewby said...

Chrome Stable 10 seems quite a bit snappier. Thanks for all the fixes and good work!

fastharry™ said...

I just checked and I have the new version...but after some fiddling around and trying to locate password sync, it was not checked by default...

Bisnismu said...

Great!!!...More safety..Thanks Google :)

System said...

Anyone else having issues in Citrix using this new version? Once the new version auto-installed, all of the users in Citrix are geting the error:

The following plug-in has crashed: Shockwave Flash

Looks like Google's "Stable" update took down a whole company. All our users have to move over to Firefox.

Adrián J. said...

When will be HTML5 Video available in Full Screen like Safari? And when are we gonna see a 64 Bit version for Mac & Windows?

Crabbie said...

"Clear Browsing Data" on a new page is really really frustrating and is going against your claimed speed efficiency.

Chrome is supposed to improve user's web browsing experience, and by making us click the X button or CTRL+W for closing the extra opened tab for clearing browsing history isn't really helping you improve the speed.

Very disappointed with Google.

Caspar said...

Since updated from 9.x to 10.x there is a scrolling-problem: while loading background-tabs, scrolling of the foreground-tab doesn't work correctly, till all background tabs are loaded completely. How can such a bug be overseen in the betas?

Marcelo de Souza said...

The update caused me a big trouble. I have a form that opens with absolute position in front of a video element. Now I can't type anything in the form fields. The cursor freezes, and only when I change the field focus to another field, the typed words appears. I also got problems with links, the link:hover css rule stopped working. Anyone has some idea? Google will do a new update on Chrome fixing these bugs?

Philip said...

I have the same problems like Caspar (scrolling doesn't work correctly while loading background-tabs). Such a big bug shouldn't be in a stable release. (In a 0.x-version okay, but not in 10.x.) Isn't there any end-control?

Philip said...

PS: The scrolling bug is such a big issue in usability and so much annoying, that it should get fixed with highest priority! And the end-control for stable releases should be much better. Such a big issue should not appear in a stable version for end-users.

theworldgrowsold said...

The newest release completely destroyed Fancast. It won't load any of their videos that run directly from their site. If it is a hulu vid embedded it is now problem, but any of the premium shows like Dexter or Shameless can't play. This needs to be fixed ASAP.

Nansen Fredssenter said...
This comment has been removed by the author.
Simon Souyris Strumse said...

Also on Ubuntu 64-bit - no password sync option on default setup. What went wrong?

peter said...

CTRL+ALT+DELETE == annnnnoying!
Who thought of this change?!

Please change this in a way to simplify deleting chache. When developing and debugging webapps this is realy not productive.

Ken said...

Just noticed with v 10.0.648.133 that Facebook integration buttons from Third-Party websites do not work. Specifically, Dailymile.com

Also, The "facebook" / "Freind Request" / "Messages" / "Notifications" buttons are not visible once logged into Facebook.com

Extremely odd - these features work in the "Incognito Mode"

Zappo Zampani said...

Could you get rid of the tabbed settings. The old window was way better organized than this nonsense. If i could i would downgrade to Chrome 9. Because this seems more like a bug to me!