Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support

Posted by Unknown on from the almost-makes-up-for-<dialog> dept.

An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.

26 of 113 comments (clear)

  1. Shooter by hooiberg · · Score: 2

    Somehow I will always remember Chromium as the arcade type shooter with the same name.

  2. all that? by turkeydance · · Score: 2

    and for free?

    1. Re:all that? by stoploss · · Score: 2

      How is google going to stop you from posting lies on Slashdot?

      Haven't you heard the whispers about the Google kick squad, armed with Reason(tm) hypervelocity rail guns?

      That's how.

  3. Why not a master password for the PW manager? by mlts · · Score: 2

    I wish for a feature that is in Firefox... and that is the ability to set a master password and encrypt all password manager contents. That way, stored passwords and certificates are independently protected.

    1. Re: Why not a master password for the PW manager? by Anonymous Coward · · Score: 4, Funny

      I think it would be nice if Chrome stored all your passwords and especially your certs (like SMIME and PGP keys) on one of Google's servers. That way you'd have them any time and anywhere you want. Google could provide encryption and provide a key escrow service to that encryption so that, if you lose your master password, Google can recover your passwords for you. With Google's safety features, nothing could possibly go wrong.

    2. Re:Why not a master password for the PW manager? by The+MAZZTer · · Score: 3, Informative

      Chrome already encrypts your data (on Windows at least) using your Windows login credentials using the Crypto API. If the user is not logged in, the passwords are impossible to read. If the user is logged in, all it takes is an API call run by that user to decrypt them, no reauthentication necessary (and this is why you lock your PC when you walk away). I think it is a very usable solution to the "but I save passwords to avoid remembering passwords, I don't want a master password" problem, but still keeping things secure.

      I think cookies are encrypted now, too.

    3. Re:Why not a master password for the PW manager? by gstoddart · · Score: 2

      So, are you saying that the data is "encrypted" in such a way as to be readable by anything which is running as your user?

      Because, basically that would mean that it's not really encrypted in any meaningful way, because you inherently trust every single process to access your passwords.

      Quite frankly, that sounds pretty dumb, because it means you explicitly make this available to every single process. So, Adobe could read your passwords if you read a PDF?

      That's pretty weak if I understand what you said. And precisely why I don't trust applications to remember my passwords.

      --
      Lost at C:>. Found at C.
    4. Re:Why not a master password for the PW manager? by Mortimer82 · · Score: 2

      Once you have any kind of malware on your computer, you have to assume anything you do within the context of that user account is compromised. Any malware which can read your password database could also just as easily be watching your activity and record the password the next time you enter a global password into a password manager.

      As a user who is already used to quickly pressing Win+L to lock their computer each time they leave their desk, leveraging the Windows APIs is exceptionally convenient, especially when I consider that I don't have to manage yet another password independently of my Windows login password.

      Also, those of us who recognise that it's no longer mid-2000 and that Microsoft has become a company who arguably sets one of the best examples on how to develop software securely, I have confidence that their API for this is thoroughly tested and proven. For Google to even attempt to come close, they would need to expend considerable effort which would ultimately achieve, at best, a reinvented wheel which would also be less convenient for Windows users.

    5. Re:Why not a master password for the PW manager? by Mortimer82 · · Score: 2

      You just happen to be super vigilant with your security and if Chrome had implemented a Firefox style password protected password manager it most certainly would not have met your needs either. You are very different from the vast majority of users and the most worthwhile measure you take above Firefox and Chrome, is that you compartmentalise your passwords. You however are a part of a very small number of people who go to those lengths and for the vast majority of users who have all their passwords in the same "vault", they would expose all their passwords within a day, making Chrome's strategy of leveraging Window's API arguably more secure than building their own. And keep in mind the vast majority of people would be infected for weeks or even months before they notice.

      As for your argument about key loggers being "harder" to develop than other malware, keep in mind that a lot of malware these days is bought as a kit with a tonne of features. The people writing the malware are typically separate from the parties utilising the malware and once a password stealing module is written, it's available for everyone else to use, regardless of how hard it was write. Also, who said it had to be a key logger? It could be sniffing unencrypted memory, peeking forms in the browser window, it could be watching in countless different ways to avoid being detected as a key logger by AV.

      And in regards to AV watching for key loggers, if they know to watch for key logger type activity, then it stands to reason they could also log attempts to read the password management API. In practice it's a cat and mouse game, as AV writers work to detect malware activity, malware writers work to avoid detection.

      Malware writers are financially incentivised to come up with solutions, do not think that the hurdle required to get key sniffing is substantially different to that required for using the Windows API for password management, if it takes them a couple of weeks more to write one method, they might bill their clients more, or perhaps they are forced to include the feature so their clients don't use a competing product.

      While you are a rare exception as you take extraordinary lengths to protect your credentials, for the vast majority of people, once they have malware, everything on their user profile is likely compromised and single password vault vs Windows API won't help them one bit, except that the Microsoft developed password vault is more convenient to users and likely better than a comparatively simple solution which would ship with a browser.

    6. Re:Why not a master password for the PW manager? by Bengie · · Score: 2

      Windows does not only save encrypted data for a user that can be decrypted by any application, but also on a per user+application basis. This way no other application can decrypt the data. I would assume Chrome uses this part of the API. Of course this assumes no flaws in design and implementation.

    7. Re:Why not a master password for the PW manager? by vux984 · · Score: 2

      You just happen to be super vigilant with your security and if Chrome had implemented a Firefox style password protected password manager it most certainly would not have met your needs either.

      It could potentially replace the lowest value vault.

      the most worthwhile measure you take above Firefox and Chrome, is that you compartmentalise your passwords

      Yes, and its a major failing of all systems out there that compartmentalization isn't better supported at the system level. Not only does the OS fail to guide users to compartmentalizing, it abjectly fails to support it at all.

      Some random piece of software I download from the internet shouldn't get read access to my documents folders or be able to root through (on windows) the programdata folders of OTHER installed software by default. It should get access to its OWN programdata folder, it should get access to its own documents. If I want to grant it access to other things, that should be explicit.

      As for your argument about key loggers being "harder" to develop than other malware

      I didn't make that argument.

      I made the argument that it was easier to *detect* keyboard hooks. And that hooking into the keyboard takes longer to compromise the passwords because it has to wait until passwords are typed in -- vs just being able to read them out.

      then it stands to reason they could also log attempts to read the password management API.

      That's a good point. However, the number of apps that have a legitimate reason to call the password management API is very high. The number of apps that legitimately need to hook into the keyboard apis necessary for keylogging the foreground app is pretty low. You could almost block that by default and require per-app authorization.

      The password management API should also default to an app only being able to read its own data out without escalation. There's really no reason for App A being able to read credentials for App B.

      Thinking about how app identity would actually be established, I think the on disk filesystem folder path of the running process should be sufficient, assuming that can't be easily spoofed (?)

      That would allow updated versions of legitimate software to retrieve credentials stored with the previous version, but still prevent random drive-by processes from doing anything with them.

      And that goes back to my complaint that OSes don't do compartmentalization well yet.

  4. Hello, it is 2014 by qbast · · Score: 4, Insightful

    Why even bother with 32 bit builds?

    1. Re:Hello, it is 2014 by wisnoskij · · Score: 3, Insightful

      Even well into Windows 7, 32-bit continued to a very serious market share of NEW installs. At this point I do not think we are getting very many 32 bit installs at all, but any computer over 3 years probably has about a 60% chance of running a 32-bit OS. XP was the market overlord of a very long time, and continues to have a significant share, and its 64 bit edition was unusable.

      --
      Troll is not a replacement for I disagree.
    2. Re:Hello, it is 2014 by qbast · · Score: 2

      Then would they care about browser upgrade?

    3. Re:Hello, it is 2014 by CastrTroy · · Score: 2

      There are devices sold that have a 32 bit OS installed. For devices that will never have more than 2 GB of RAM, it makes sense to save a little bit of memory by using the 32 bit version when it is all that is needed. Granted, it won't be long before just about every device has 4GB of RAM, and we will completely lose the 32 bit build.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    4. Re:Hello, it is 2014 by DRJlaw · · Score: 2

      For devices that will never have more than 2 GB of RAM, it makes sense to save a little bit of memory by using the 32 bit version when it is all that is needed.

      If that is your sole metric, perhaps. But x64 mode provides other features such as additional registers, a larger address space for ASLR, etc. Much of the speed increase Google is touting is due simply to the ability of the compiler to use x64 mode code.

  5. Video decoding regression by kav2k · · Score: 3, Informative

    > For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance.

    Except that with this version, hardware-accelerated decoding broke scaling, so it now seems to scale as nearest-neighbor. Thankfully, on Windows it's possible to override hardware decoding with chrome://flags, which is a workaround for now.

  6. Re:Sweet by Anonymous Coward · · Score: 3, Funny

    I'm sure the Brony community can provide an equine themed build to your liking.

  7. Re:Gradients by Anonymous Coward · · Score: 2, Insightful

    The answer is still no, apparently: https://code.google.com/p/chro...

    What a world we live in, where IE11 and Firefox have vastly better real-world CSS3 support and Chrome is just a pile of crap.

  8. The tabs are slightly sucky by jones_supa · · Score: 2

    An old gripe: the tab implementation could be improved. To begin with, when using the normal horizontal tab strip, Firefox makes it scrollable with arrows when it gets crowded. Chrome just makes the tabs smaller and smaller. And hey, give me vertical tabs, à la Firefox's Tree Style Tab extension. Great way to utilize a wide screen monitor. Chrome did indeed have an experimental side tabs option a couple of years ago, but they removed it, and apparently their extension API hasn't allowed any third party to make a good vertical tabs implementation. Ah well.

  9. 64-bit support by Imagix · · Score: 2

    So when are they _finally_ going to have a 64-bit OS X version?

  10. Re:Sweet by Himmy32 · · Score: 2, Informative

    Pale Moon is a 64 bit build of the LTS version of Firefox. Highly recommend it.

  11. Chromium 37? by OolimPhon · · Score: 5, Funny

    I thought this was a story about an isotope...

  12. Re:Does it self-update to 64-bit? by jones_supa · · Score: 3, Informative

    It is a separate download at https://www.google.com/intl/en/chrome/browser/?platform=win64.

  13. Just being honest here... by Anonymous Coward · · Score: 5, Insightful

    but I cannot fathom how people, and techies specifically, trust a browser that has ties to the company that does nothing but track people for the sake of profit. I just cannot wrap my head around why people willingly are not fighting the trading of privacy for something "free". We all know the tradeoff isn't fair. Free this and free that and we are giving our lives away for what really?

    I similarly distrust supermarket loyaly cards, which purport to save you money, but track and sell your preferences to third-party vendors who are also in the game for nothing but profit. One of the things that scares me is the buyers included in these companies are insurance companies, both medical and other, who then proceed to find ways to make your policies more expensive in future based on your current lifestyle. This is starting to happen.

    My life is private and what I do should not cause an increase in costs for me. The goal, after all, is socialised medicine anyway, so screw for-profit medical companies.

  14. Chrome 38 is the big one by kervin · · Score: 2

    Encrypted Media Extensions lands in 38. This is what Netflix's using in their new HTML5 player. So hopefully, finally, Netflix on Linux.

    Now if they can just get Java working on Linux again we'd be all set.