Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Quashes 13 Chrome Bugs, Adds PDF Viewer

Posted by timothy on from the next-please-block-cw-popups dept.

CWmike writes "Google on Thursday patched 13 vulnerabilities in Chrome 8 (stable), and debuted Google's built-in PDF viewer, an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store. The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser's history, its video indexing and the display of SVG (scalable vector graphics) animations. Next up: Adobe and Google have collaborated to put the Flash Player plug-in inside a sandbox within the dev build of Chrome, an effort by the two companies to better protect users from attacks."

3 of 177 comments (clear)

  1. Re:Damn. It's all downhill for now. by Anonymous Coward · · Score: 5, Informative

    about:plugins -> Chrome PDF Viewer -> Disable.

    or

    Options -> Under the Hood -> Content settings -> Plug-ins -> Block all.

    Also it's weird to say a plugin is causing bloat, when the plugin resides in a shared library, it only registers one embed handler, and is entered only when a PDF is viewed. It has zero runtime overhead and its .text section is shared between processes (iirc... loadlibrary on win32 does copy-on-write).

  2. Re:Damn. It's all downhill for now. by Anonymous Coward · · Score: 5, Informative

    Hello monoculture software. Hello exploits.

    We embedded a viewer so that we could sandbox it. This makes exploits much harder to pull off. If you do manage to get a user to open a PDF that exploits a bug, the sandbox ensures that the process you now control is unable to access the filesystem or open network connections, and will be killed if it tries.

    99% of users don't know what a plugin is, and won't keep them up to date unless the process is totally automatic. Chrome got this right: Updates are silently downloaded and applied unless you go out of your way to disabling them. Making the PDF plugin a part of Chrome allows chrome updates to update the plugin. Chrome's track record fixing security bugs fast is far better than the record of the PDF plugin that virtually all Windows users most user have.

    If you don't want to use the fast, small, sandboxed PDF viewer that gets security updates, go to about:plugins and click disable. Nothing stops you from using other plugin if you want to.

  3. Re:Crome still disappoints me... by whoop · · Score: 5, Funny

    Computer screens aren't good on your eyes. It's better to print everything out and read them by the light of a fireplace, smoking a pipe, and wearing a nice smoking jacket.