Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Chrome 6, Pays $4337 In Bounties

Posted by timothy on from the working-in-the-background dept.

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.) Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

14 of 177 comments (clear)

  1. Re:Where's the love for the Mac passwords? by Netshroud · · Score: 4, Informative

    Chrome already uses the Keyring... at least it does for me.

  2. Re:Version bloat by rezonat0r · · Score: 4, Informative

    I'm guessing you missed their highly re-reported blog post regarding the new release schedule.

  3. Re:Print Preview? by Anonymous Coward · · Score: 5, Informative

    no, no and yes

  4. Re:$4,337 from a multi-billion dollar company? by LingNoi · · Score: 4, Informative

    Since you're not going to RTFA or even the summary i'll repost it here..

    includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.

    The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version.The highest bug bounty, $1337, was paid for an integer error in WebSockets found by Keith Campbell. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team.

  5. Re:$4,337 from a multi-billion dollar company? by blai · · Score: 2, Informative

    tl;dr

    --
    In soviet Russia, God creates you!
  6. Re:Wheel of Bug Chasers! by Tubal-Cain · · Score: 3, Informative

    Mozilla also pays bug bounties.

  7. Re:Version bloat by Tubal-Cain · · Score: 2, Informative

    Firefox is older than Safari (OK, so it was Phoenix at the time...) and is only at 3.x or 4.0 (beta)

  8. Re:Wheel of Bug Chasers! by Bill,+Shooter+of+Bul · · Score: 1, Informative

    We've never paid based on the actual value of services. In a free economy, prices should be set by the supply and demand. Even if the demand for a service is great, the price may stil be incredibly low due to high supply. Like water. Can't quite live with out it. What kind of value does that bring to you? More or less than a huge flat screen tv. Less?? But isn't water more valuable to you??!!!

    Explaining the economics of game shows, is a bit too much for me at this hour. Safe to say, they contestants aren't paid a bunch because they are rare. Its not a free market.

    And I'll just end by pointing out you presenting a false choice. Most people would decide to pay many regular workers significantly more, rather than pay a few game show contestants more. Its not their choice, and its not anyone's choice.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  9. WTF, these passwords are stored in the clear by Anonymous Coward · · Score: 1, Informative

    I've just confirmed the above, and it's the same on other Linux distros, not only on Ubuntu.

    I hope this is some dreadful oversight! An application of Chrome's stature cannot be storing passwords in the clear by design, surely ...

  10. Video on the other hand... by Anonymous Coward · · Score: 2, Informative

    > Do Flash videos play the audio correctly?
    Yes. The video on the other hand, as in all browsers, is a different story. We're still waiting for the fix from Adobe. In the meantime, you can use the following user script:
    ----(start of file)----
    // ==UserScript==
    // @name YouTubeWMP
    // @version 1.0
    // @description Replaces Flash player with WMP in YouTube.
    // @run-at document-start
    // @include http://www.youtube.com/*
    // ==/UserScript==

    flp=document.getElementById("movie_player");
    flp.outerHTML = "<EMBED type='application/x-mplayer2' width='" + flp.width + "' height='" + flp.height + "' src='" + unescape(flp.getAttribute("flashvars").match(/&fmt_url_map=[^&]*%7C([^&]*)/)[1]) + "' autostart='true' autosize='-1'></EMBED>";
    ----(end of file)----
    This script is for YouTube, you can make similar ones for other sites easily. Just use the resources panel in the developer tools to figure out where to get the link to the flv stream.

  11. Re:Print Preview? by dakameleon · · Score: 2, Informative

    I think the behaviour being asked for above is the "open with" behaviour common on other browsers, where the file is download to a temporary folder (e.g. $WINUSER$\Local Settings\Temp for Windows) for use by an application selected right from the download dialog. The temp folder can be cleaned up by the browser at a random date in future, or more often than not just sits there until someone decides to clean it out.

    This just means the file is out-of-sight out-of-mind for a one-time-use scenario and the user doesn't need to concern themselves with file management post-use.

    (Some might say this goes hand-in-hand with private browsing modes. You wait til you're cleaning out a Temp folder for a friend of a friend and notice the number of 30 second video clips...)

    --
    Man who leaps off cliff jumps to conclusion.
  12. Re:Linux Logins by Zixaphir · · Score: 2, Informative

    wtf is /home/username? In my days, we communicated home as "~/". You can read it as tilde slash or even tilde slash dot, but it doesn't matter. ~ sweet ~.

    --
    "Now I am become Death, the destroyer of worlds"
  13. Re:Yep. My practices are justified. by selven · · Score: 2, Informative

    Some kind of encryption as obfuscation, DRM-style, is still better than just plain text. One of the tricks used by people who steal hard drives is to try every possible chain of subsequent bits as a password. It's only at most a few trillion tries (less than brute-forcing an 8-char alphanumeric password, and quite feasible with a botnet or a few days of time), and often as few as a few billion, but it gets passwords right quite often. Encryption would defeat this attack.

  14. And it's ACID3 compliant! by VincenzoRomano · · Score: 3, Informative

    At least the Linux version for x86_64.
    Try it

    --
    Maybe Computers will never be as intelligent as Humans.
    For sure they won't ever become so stupid. [VR-1988]