Chrome 18 Closes Security Holes

Friday, March 30, 2012 @ 04:03 PM gHale

In a move to close security holes, Google released version 18 of Chrome, the company’s own extended version of the open source Chromium web browser.

The new Stable channel release, labeled 18.0.1025.142, fixes security vulnerabilities, and improves graphics and drawing performance on systems with capable hardware.

Opera Closes Security Holes
Chrome 17 Patches Security Holes
Firefox: Secure Search by Default
Mozilla Firefox 11 Ready to Go

This can happen by adding support for GPU-accelerated rendering of 2D Canvas content on Windows and Mac OS X systems. The GPU acceleration should improve the overall performance of graphics-intensive web applications, making canvas-based animations and games “run faster and feel smoother,” according to the developers.

For older systems that can’t make use of the GPU, Chrome can now display 3D content using the SwiftShader software rasteriser, which Google licensed from TransGaming, Inc. However, the developers note “a software-backed WebGL implementation is never going to perform as well as one running on a real GPU, but now more users will have access to basic 3D content on the web.”

Additionally, this new version closes nine security holes, of which three are “High severity.” These include high-risk use-after-free errors in SVG clipping, an off-by-one problem in OpenType Sanitizer and memory corruption bugs in Skia. Other closed holes include five medium-severity problems such as out-of-bounds reads in SVG text and text fragment handling, a cross-site scripting (XSS) bug, a SPDY proxy certificate checking error and an invalid read in the V8 JavaScript engine.

Google also closed off a low-severity bug used by a hacker going by the name of “Pinkie Pie” during the Pwn2Own competition at CanSecWest. Google’s Karen Grunberg said some of these “represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.”

As part of its Chromium Security Vulnerability Rewards program, Google paid security researchers $4,000 for discovering and reporting the holes – $8,000 in additional rewards went for security bugs reported to the company during the development cycle of Chrome 18. The company withheld details about the vulnerabilities until “a majority of users are up-to-date with the fix.”

Leave a Reply

You must be logged in to post a comment.