Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Pushes New Chrome Release, Pays $14k Bounty

Posted by timothy on from the return-on-investment dept.

Trailrunner7 writes "Google has released version 8.0.552.237 of its Chrome browser, which includes fixes for 16 security vulnerabilities. The company also paid out more than $14,000 in bug bounties for the flaws fixed in this release, including the first maximum reward of $3133.7. The new version of Google Chrome has fixes for 13 high-priority bugs, but the most serious vulnerability the company repaired in the browser is a critical flaw resulting from a stale pointer in the speech handling component of Chrome. That flaw, along with four others, was discovered by researcher Sergey Glazunov, who earned a total of more than $7,000 in rewards for the bugs he reported to Google."

27 of 182 comments (clear)

  1. New business model: by Fluffeh · · Score: 5, Insightful

    1) Convince Microsoft to adopt similar bug strategy.
    2) Start using software as it was designed to be used...
    3) PROFIT!!

    Yes, that's right. No step 4.

    *sips coffee*

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
    1. Re:New business model: by Yvanhoe · · Score: 2

      Yes. Lame economical move. Wonderful ideological one. Google is not banking on money but on reputation. They believe that the protocols used on internet should be opened and not patent-encumbered. They think that this is a danger that would cost them more than $8,000. They see further than most. Kudos to them.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  2. I just want Google on my check by Deathnerd · · Score: 2

    I don't care how much it's for, because if I ever get a check from Google, it's getting framed. Just sayin.

    1. Re:I just want Google on my check by TafBang · · Score: 2

      I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates

    2. Re:I just want Google on my check by mysidia · · Score: 2

      I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates

      I am afraid Google would run into the same problems Knuth and others did. When people post images of checks online, various scammers, the scum of the internet, find images of the checks online, make fake checks, or initiate fraudulent ACH transactions.... result: the account has to be closed.

      Remember folks... checks are legal instruments and contain confidential bank account numbers printed on them, which (due to our insecure banking system) can easily be abused by scammers to steal lots of money. Never post an image for public consumption of a check someone else wrote to you.

  3. Google won this round... by NFN_NLN · · Score: 4, Insightful

    14K sounds like a pretty good deal for Google. That's less than 2 months of salary for even an intermediate tester.

    1. Re:Google won this round... by omglolbah · · Score: 2

      He didnt say they did, he said it could cost -google- that much.

      Office space, benefits and the likes cost quite a lot. Salary is not the only thing an employee costs ;)

  4. I found a bug by Octopuscabbage · · Score: 2

    "Hello google, i found a bug." "Did you fix it?" "Yeah here is 100 man hours of work and 1,000 lines of code" "k, cool, heres $10"

    1. Re:I found a bug by TafBang · · Score: 2

      Sergey is Taking our Jobs

  5. I'll be filing a bug report soon by 93+Escort+Wagon · · Score: 5, Funny

    I've heard that h.264 support is broken in an upcoming release.

    --
    #DeleteChrome
    1. Re:I'll be filing a bug report soon by _Sprocket_ · · Score: 2, Insightful

      I've heard that h.264 support is broken in an upcoming release.

      That's a feature.

    2. Re:I'll be filing a bug report soon by tyrione · · Score: 2

      Woosh!

    3. Re:I'll be filing a bug report soon by martas · · Score: 2

      That's a whoosh.

      --
      weinersmith
  6. One of the best things about Chrome ... by Wrath0fb0b · · Score: 4, Interesting

    Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%). Why can't other applications just keep themselves up to date automatically in that way? It's obviously not technologically impossible, we've seen it happen. Even Windows Update is vaguely alright in this respect once you disable the restart-nagging. Debian systems do fine after a simple 'apt-get update && apt-get upgrade -y' in the root crontab although the GUI will occasionally pester you.

    Firefox has to be the worst offender in this respect, both in terms of actual software upgrades that block the UI and then add-ons that also block the main UI and then spawn a silly splash to inform you of the amazing upgrade rfom 2.1.6 to 2.1.6(b). Unless it requires a change in the terms of the license or more permissions (Android does this nicely), I don't care and I definitely don't need to be interrupted to see it.

    Another free tip for the Mozilla team -- when I open an application is not the time to install any updates. In fact, that is the only time you can be nearly guaranteed that I want to use the application right this second. Schedule updates for when I close the app because it's pretty damn likely I don't need to use it for a few minutes.

    Apple could learn the same thing about their infernal updates too, plus an extra special place in hell for pimping their other software at the same time. I still get calls from my parents "Do I need Safari?", hmm, no just upgrade iTunes when it asks you to. "What about quicktime?". Gah.

     

    1. Re:One of the best things about Chrome ... by BZ · · Score: 4, Informative

      > Schedule updates for when I close the app because it's pretty damn likely I don't need to
      > use it for a few minutes.

      It's not that simple. When you close the app in the case of a web browser, you're most likely shutting your machine down; you don't want to do the update then.

      The only sane way to do it is what Google does: actually replace the binaries in-place as the program runs... We're working on getting there. :)

    2. Re:One of the best things about Chrome ... by mysidia · · Score: 5, Informative

      Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

      Hm.. that idea wouldn't work on any systems I setup.

      Software restriction policy all systems, Policy default: deny.

      Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

      User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

    3. Re:One of the best things about Chrome ... by Wrath0fb0b · · Score: 2

      As for your Firefox issue, go to Tools > Options > Advanced > Update and untick automatically update for Add-ons (and probably search engines). There, job done. Yes it isn't the best user interaction decision to update at startup and block the main UI from loading, but it doesn't mean you have to live with it when it clearly ticks you off so much.

      So now I have to manually check for updates? And this is your idea of fixing things?

    4. Re:One of the best things about Chrome ... by morgan_greywolf · · Score: 2

      Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

      No wonder corporate shops don't allow Chrome.

      --
      My blog
    5. Re:One of the best things about Chrome ... by Wrath0fb0b · · Score: 2

      Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

      When Chrome closes it copies over the %ProgramFiles% version if the user have sufficient privileges to do so. That's the best place for it, but given that NTFS does not allow unlinking an exectuable when it is running, having it in %AppData% for the time being is the next best option.

      User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

      Wait, so if I instruct chrome to download an application, it shouldn't go in $USER/Downloads because executables aren't suppose to be in data folders? To where should setup.exe be downloaded then? In fact, how the heck is any updater supposed to work in this case? Even Firefox downloads an executable to %appdata%\Temp\ and then launches the process.

      What you've described isn't best common practice, it's slavish attention to distinctions that are made for the sake of convenience -- allowing the a particular form to entirely straightjacket the function of software that keeps itself updated.

      What's more, given that placing roadblocks to updating causes a huge decrease in user compliance, it's not even clear that such draconian measures even improve security. Having those 16 browser vulnerabilities patched as promptly as possible is far more important than adhering to whatever practices seem best in the abstract.

      TL;DR: I'm very happy that Google does not adhere to 'best practices' that would result in more people using software with known vulnerabilities for longer.

    6. Re:One of the best things about Chrome ... by willie150 · · Score: 2

      Google released Chrome for Business in the last few months, add that to the policy settings and you're pretty set.

      --
      Better to stay silent, and let people think you're an idiot than to open your mouth and remove all doubt
    7. Re:One of the best things about Chrome ... by n0-0p · · Score: 2

      If you don't like the single user version then install the system-wide version from the google pack. And it doesn't leave past versions around; it leaves exactly one previous version when it's updating because it uses differential compression against the old version and falls back to the previous version if the update failed.

    8. Re:One of the best things about Chrome ... by tepples · · Score: 2

      Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually

      Then what is the procedure for a user to request that a program's installer be placed into one of these "designated paths for placing executables in manually"?

  7. Re:interesting by biryokumaru · · Score: 4, Funny

    My Chrome goes to 11.

    --
    When you're afraid to download music illegally in your own home, then the terrorists have won!
  8. Re:Wait a minute... by russotto · · Score: 4, Funny

    3,133.7?

    Looks suspiciously like 'leet to me.

    Way to spot 'em, Captain Obvious.

  9. Re:Have they fixed h.264? by mswhippingboy · · Score: 2

    Yea, they fixed it alright. They got rid of it.

    http://www.pcmag.com/article2/0,2817,2375719,00.asp

    --
    Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
  10. You gotta be kidding me. by Brannon · · Score: 2

    It's just a company, dude.

  11. Re:Supporting Chrome is moving back standards by dalmor · · Score: 2

    I posted this URL in another thread, but it is a great view of the whole video format "war" going on.

    Even with chrome supporting h.264, in order to get maximum compatibility for video playback across all browsers(let's not leave out Android and Iphone), you still need to have the video in all 3 formats(below is copy/pasted from the site). Chrome isn't going "backwards" compared to where it stands now, unless you prefer having site visitors standardize on a set of browsers, in which case I can't argue with that:

          For maximum compatibility, here’s what your video workflow will look like:
                1. Make one version that uses WebM (VP8 + Vorbis).
                2. Make another version that uses H.264 baseline video and AAC “low complexity” audio in an MP4 container.
                3. Make another version that uses Theora video and Vorbis audio in an Ogg container.
                4. Link to all three video files from a single element, and fall back to a Flash-based video player.

    http://www.diveintohtml5.org/video.html