Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Quashes 13 Chrome Bugs, Adds PDF Viewer

Posted by timothy on from the next-please-block-cw-popups dept.

CWmike writes "Google on Thursday patched 13 vulnerabilities in Chrome 8 (stable), and debuted Google's built-in PDF viewer, an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store. The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser's history, its video indexing and the display of SVG (scalable vector graphics) animations. Next up: Adobe and Google have collaborated to put the Flash Player plug-in inside a sandbox within the dev build of Chrome, an effort by the two companies to better protect users from attacks."

40 of 177 comments (clear)

  1. Because I like being on cutting edge... by McNihil · · Score: 4, Informative

    Just tested it with chrome 9.x... the pdf rendering is ridiculously fast.

    1. Re:Because I like being on cutting edge... by larry+bagina · · Score: 3, Informative

      Acrobat is slow. Imagine if your computer was unusable for 30 seconds because you accidentally clicked on a pdf link. Acrobat is worse than that.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    2. Re:Because I like being on cutting edge... by Bill,+Shooter+of+Bul · · Score: 2

      Adobe Reader isn't just slow at loading a pdf, its slow and crappy searching and browsing the currently loaded pdf. Going from Adobe to Okular was insane. I suddenly went from dreading reading PDF docs, to loving it. Haven't tried it in Chromium yet, but I know how much better PDF viewing can be outside of Adobe. PS the bugs he was referring to are security vulnerabilities, in case you haven't figured that out by reading the 800 other posts talking about the vulnerabilities in Adobe. Now, is Google's auto-magically immune to them ... No idea. Some of the vulnerabilities are somewhat baked into the featureset. You can't support all of the crazy things you can do in PDFs without providing some possibility of some bad PDFs doing dangerous things.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    3. Re:Because I like being on cutting edge... by asserted · · Score: 3, Interesting

      It appears that Chrome is using Foxit library.
      Can't verify it because the codereview link they provide doesn't work anymore.

    4. Re:Because I like being on cutting edge... by Zaiff+Urgulbunger · · Score: 2

      So is this closed-source then? If so, then presumably it won't make it into Chromium.

  2. PDF viewer by hether · · Score: 4, Insightful

    "The viewer renders PDF documents as HTML-based pages"

    I hope it does a better job than the PDF viewer built into Google search...

    --

    Most people would die sooner than think; in fact, they do.
    1. Re:PDF viewer by The_mad_linguist · · Score: 3, Informative

      It's terrible for anything with diagrams or formulas.

  3. Chrome PDF viewer is pretty good by haruchai · · Score: 2

    It's been in the dev or beta channel for a while. Works fine and hasn't choked on any PDFs I've viewed with it yet.

    --
    Pain is merely failure leaving the body
  4. Re:-13 +1 by Anonymous Coward · · Score: 2, Insightful

    The problems with pdf security are either due to the latter standards that allow excusable to be imbedded or due to poor security in the adobe and apple readers. You never hear about evince or ocular being a security risk.

  5. Flash in PDFs, head-to-head vs Acrobat Reader by Khopesh · · Score: 2

    One of the biggest problems with Adobe Acrobat Reader is that attackers can run exploits via embedded flash ... since Chrome supports flash, does that mean it will support flash in the PDFs it converts to HTML? I hope not, or at least not by default.

    I'd like to see Chrome come with a dummy app that pretends to be a PDF reader which merely runs a specialized window holding the document content in a manner akin to your typical PDF viewer. This would help people stop wean themselves off of Acrobat Reader. Maybe it will be better than FoxIt and Evince et al. (though I suspect not; the whole point of PDF is in a perfectly consistent rendering so as to always print the same, while HTML is almost impossible to do that. Google likely has no interest in molding Chrome into something that ideal for paged media, but I can hope...)

    (Disclaimer: I word processes in HTML using vim; I know a good amount of page-media CSS, including all those CSS1 and CSS2 bits that still lack implementation in FF and Chrome...)

    --
    Use my userscript to add story images to Slashdot. There's no going back.
    1. Re:Flash in PDFs, head-to-head vs Acrobat Reader by Khopesh · · Score: 2

      I doubt it. It isn't and won't be a fully featured plugin. Chrome's PDF viewer was sandboxed in the dev builds even, so there isn't much risk there. If Adobe fixes the Flash sandbox issues (for one, Mic does not work) then maybe we'd see SWF-in-PDF support.

      Honestly, I hope we don't. PDF shouldn't have flash support. That 'feature' was merely added by Acrobat because it was trivial for them to do. Anybody seeking that kind of thing should use HTML, Flash itself (which is fully capable of this sort of thing!), or perhaps PPT.

      --
      Use my userscript to add story images to Slashdot. There's no going back.
  6. Re:Adobe by Guillermito · · Score: 4, Insightful

    Adobe makes money with PDF authoring tools, not with reader. Since PDF is marketed as a universal format, I guess it is in Adobe's best interest for end users to have a seamless experience accessing PDF content in every possible platform.

  7. Quashes bugs, adds pdf support... by elashish14 · · Score: 2

    Talk about undoing your own work, huh?

    --
    I have left slashdot and am now on Soylent News. FUCK YOU DICE.
    1. Re:Quashes bugs, adds pdf support... by cbhacking · · Score: 2

      As a security tester by profession, I *really* want to run some fuzzing tools over that PDF reader. In fact, I might just do that. Coming up with a proper minset without using the resources at work would take time, though.

      --
      There's no place I could be, since I've found Serenity...
  8. Re:whoop dee doo by onefriedrice · · Score: 4, Informative

    All this enhancement sounds great, but I wish they would concentrate on compatibility with web sites first. There are too many sites that don't work well with Chrome and I am tired of getting warnings from popular sites that warn me about running an unsupported browser.

    Any examples you can come up with, because I have no idea what you're talking about. WebKit is extremely compatible (it's one of the most popular HTML engines out there), and I don't know of any incompatibilities with Chrome's Javascript VM either, so... I guess I'll just have to call BS.

    --
    This author takes full ownership and responsibility for the unpopular opinions outlined above.
  9. Paste bug fix? by PRMan · · Score: 2

    Does it fix the "I can't paste into a textarea" bug?

    I was using it instead of Firefox, but that one's a dealkiller for me.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
    1. Re:Paste bug fix? by Qzukk · · Score: 2

      The bug report has a workaround: create a bookmark for javascript:document.body.appendChild(document.createElement('div')); and click it whenever you want to paste into slashdot. No idea why adding an empty div to the end of the page makes it work, it probably forces chrome to re-parse slashdot's flaming pile of broken html to something that will actually work in the browser.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  10. Damn. It's all downhill for now. by CFD339 · · Score: 2, Interesting

    You start with something small and fast.

    Soon you're all about embedding this and that and everything else. Now you're all about bloat.

    See, I use foxit. I like foxit. I don't install the embedded reader because I don't like it to be embedded. That's my choice. You may not agree, but that's cool because that's what choice means.

    Now, Chrome embeds its own viewer. There goes my choice. There goes the lightweight browser. Hello monoculture software. Hello exploits.

    bah.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  11. Re:Quashes? by Surt · · Score: 2, Informative

    No, they meant quashed and got it right. The legal definition flows from the standard english one.
    http://www.merriam-webster.com/dictionary/quashed?show=0&t=1291432910

    --
    "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  12. Websites don't support browsers by Zero__Kelvin · · Score: 3, Insightful

    Any website that warns about unsupported browsers is by definition designed by someone who doesn't know how to design websites. Properly designed websites follow standards, and web browsers comply with those standards. When a web developer speaks in terms of which browsers they do and don't support that is a direct indication that they don't understand even the most basic and fundamental concepts of website design.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  13. Re:Damn. It's all downhill for now. by Anonymous Coward · · Score: 5, Informative

    about:plugins -> Chrome PDF Viewer -> Disable.

    or

    Options -> Under the Hood -> Content settings -> Plug-ins -> Block all.

    Also it's weird to say a plugin is causing bloat, when the plugin resides in a shared library, it only registers one embed handler, and is entered only when a PDF is viewed. It has zero runtime overhead and its .text section is shared between processes (iirc... loadlibrary on win32 does copy-on-write).

  14. Crome still disappoints me... by bogaboga · · Score: 4, Insightful

    ...and here's why:

    The fact that after all these releases, Google still does not see it prudent to had 'print preview' added to Chrome as one of its features.

    Folks, this feature is a killer for me...and I am not alone. Trust me on this.

    1. Re:Crome still disappoints me... by whoop · · Score: 5, Funny

      Computer screens aren't good on your eyes. It's better to print everything out and read them by the light of a fireplace, smoking a pipe, and wearing a nice smoking jacket.

    2. Re:Crome still disappoints me... by Clovert+Agent · · Score: 2

      Keep your print preview. Give me a master password already, damnit.

    3. Re:Crome still disappoints me... by Xarius · · Score: 3, Informative

      Go to about:flags and enable the Print Preview option.

      --
      C17H21NO4
    4. Re:Crome still disappoints me... by theantipop · · Score: 2

      I think this is only available in the 9.0 dev release. So it seems to be on the way, but not definitely not ready for primetime.

  15. Finally! by 93+Escort+Wagon · · Score: 3, Insightful

    I'm not a fan of PDF at all - but if you want to use a browser for work, decent PDF handling is a necessary evil. The old "solution" - pulling the PDF into Google Apps - couldn't handle PDF files accessed through https. That made it a non-starter in my work environment.

    All you young'uns are free to bitch and moan about PDF itself; but in the real world you usually have to be pragmatic.

    --
    #DeleteChrome
  16. Re:Where's the bug? by Tynin · · Score: 2

    This has been annoying me for awhile now. Where's a bug we can all vote for and Slashdot?

    If I were to guess, it would be due to the two buffers X Windows uses (and since it is X Windows, most Linux OS's suffer the same issue), the clipboard buffer, and the primary buffer, have been an ongoing train wreck for years. It is like a few developers don't want to change the way they do things, and don't share best practices for which buffer to use and when.

    Even the current Ubuntu LTS 10.4 suffers from it (not tried it again in the current release, but it has been a problem for a long time on several distros), generally it's the same work around each time, which is to paste into a text program that when you do a copy, it copies it into both buffers (I think I'm using gedit, but I'm not at my workstation). Then when you paste, it should display since regardless of which buffer gets called, it will have your copy.

  17. Re:Damn. It's all downhill for now. by Anonymous Coward · · Score: 5, Informative

    Hello monoculture software. Hello exploits.

    We embedded a viewer so that we could sandbox it. This makes exploits much harder to pull off. If you do manage to get a user to open a PDF that exploits a bug, the sandbox ensures that the process you now control is unable to access the filesystem or open network connections, and will be killed if it tries.

    99% of users don't know what a plugin is, and won't keep them up to date unless the process is totally automatic. Chrome got this right: Updates are silently downloaded and applied unless you go out of your way to disabling them. Making the PDF plugin a part of Chrome allows chrome updates to update the plugin. Chrome's track record fixing security bugs fast is far better than the record of the PDF plugin that virtually all Windows users most user have.

    If you don't want to use the fast, small, sandboxed PDF viewer that gets security updates, go to about:plugins and click disable. Nothing stops you from using other plugin if you want to.

  18. Re:Not a joke by aztracker1 · · Score: 2

    How else were they going to get a release of Chrome 9, before IE9 comes out?

    --
    Michael J. Ryan - tracker1.info
  19. Re:Where's the bug? by pclminion · · Score: 3, Informative

    If I were to guess, it would be due to the two buffers X windows uses

    How does that explain the fact that I had to manually type in the above quote, and I'm running Windows 7?

    It's fucking ridiculous, it happens with no other site but this one, and the fact that Slashdot has done nothing to fix it in the past MONTH that it's been going on, is absolutely incomprehensible to me. What. The. Fuck. Find the problem and fix it.

    Even if it's somehow a bug in Chrome, I laugh out loud at the prospect of switching away from my preferred browser because one site on the Internet can't be assed to worked around the problem. I'd rather abandon Slashdot than abandon Chrome, and that's saying something.

  20. Re:Damn. It's all downhill for now. by Guspaz · · Score: 2

    FYI, Google's using Foxit for the built-in PDF viewer. So, you know, this is kind of like you using Foxit, but with less bloat, since you don't need a completely separate application and UI to get the Foxit PDF rendering engine.

  21. Re:Sandbox by metrix007 · · Score: 2

    It isn't an OS setting, it's the Internet Explorer setting.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  22. Re:Not a joke by asserted · · Score: 2

    Here's how it works: when Chrome 8 is branched to beta, trunk becomes Chrome 9. At first the difference is purely cosmetic.
    But yes, Chrome N+1 is born at the same instant Chrome N goes to beta. From the next canary or dev release on you will see Chrome N+1 versions, though differences between them and Chrome N (already in beta) may be very small.

  23. Re:Damn. It's all downhill for now. by asserted · · Score: 2

    > See, I use foxit. I like foxit.

    you may be interested to know that Chrome seems to be using Foxit for their plugin:
    http://googlesystem.blogspot.com/2010/08/google-chromes-pdf-plugin-uses-foxit.html

    plus additional sandboxing, for extra security.

  24. Re:PDF for Chromium? by Qzukk · · Score: 3, Informative

    The reason is that the PDF support is actually Foxit reader being distributed as a plugin.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  25. Re:Is copy/paste fixed? by Qzukk · · Score: 2

    Have you had the problem anywhere other than slashdot?

    Anyway, some guy figured out that you can fix pasting in slashdot by adding a div to the end of it. Just create a bookmark on the bookmark bar for javascript:document.body.appendChild(document.createElement('div')); and click it whenever you open a slashdot story.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  26. Re:-13 +1 by CRCulver · · Score: 2

    You never hear about evince or ocular being a security risk.

    Security patches for poppler, the library that evince is built upon, are issued fairly regularly.

  27. Re:PDF for Chromium? by Zaiff+Urgulbunger · · Score: 2

    PDF in Chrome is working for me with Ubuntu 9.10 / Chrome 8.0.552.215. However it doesn't work in Chromium 9.0.597.0 (67679)

  28. Re:whoop dee doo by scragz · · Score: 2

    Netflix streaming said Chrome was incompatible last time I tried to use it. I've also had a lot of warnings on various sites that "all features may not be supported". As Mozilla knows, evangelism with major sites is as important as rendering bugs to the end user (me!). Usually everything just works or would work if they would unblock it.