Google fixes 22 flaws in Chrome, slams silent add-ons
- 22 February, 2013 16:08
Google yesterday released Chrome 25, patching 22 vulnerabilities and debuting a new security feature that blocks silent installations of add-ons.
The latter is Chrome 25's most noticeable change to users. It automatically disables third-party add-ons that are installed on the sly by other software. Add-ons -- Google calls them "extensions" -- that were previously installed by third-party software will also be barred from running.
Users can approve a silent-installed extension by clicking a button in the dialog box that appears when Chrome blocks the add-on.
Google's move follows a similar one made by Mozilla more than a year ago, when it, too, crippled silently-installed add-ons. In November 2011, Mozilla debuted Firefox 8, which automatically blocked browser add-ons installed by other software.
Although silent add-ons have historically been more of a problem for Firefox than for Chrome, Google has been limiting add-ons since July 2012, when Chrome 21 began blocking add-ons hosted on a third-party website. Since then, only add-ons obtained from the Chrome Web Store, Google's official distribution mart, have been allowed.
Website designers can, however, trigger an add-on install from their URL using what Google dubbed "inline installation." The actual add-on, however, is still hosted on the Chrome Web Store.
Silent add-on installation has been possible only on Windows; OS X and Linux do not offer slippery websites a way to sneak an add-on into a browser.
Google has created a dictation demonstration of the Web Speech API that users can try out with Chrome 25.
Chrome 25 also patched 22 vulnerabilities, two fewer than January's Chrome 24. Google labeled nine of the flaws as "high," the company's second-most-serious threat rating, eight as "medium," and five as "low."
Five of the vulnerabilities were reported to Google by three outside researchers, who received $3,500 for their work. So far this year, Google has paid out $10,500 from its bug bounty program.
The patches prepare Chrome for the Pwn2Own hacking contest, which will kick off March 6 at the CanSecWest security conference in Vancouver, British Columbia. Unlike last year, Google has contributed money to the prize pool of Pwn2Own, which will reward $100,000 to the first researcher to hack Chrome on Windows 7.
Google also disabled MathML in Chrome 25 over security concerns, said Jason Kersey of Google in a Thursday blog. "The WebKit MathML implementation isn't quite ready for prime time yet, but we are excited to enable it again in a future release once the security issues have been addressed," Kersey wrote.
MathML, or Mathematical Markup Language, is a 15-year-old specification for describing mathematical notation on Web pages. Google debuted the WebKit implementation of MathML in Chrome 24 last month.
Yanking MathML was somewhat controversial among developers, some of whom said that doing so would be "a giant step backward." But other Chromium developers -- Chromium is the open-source project that feeds code to Chrome itself -- were adamant.
"The WebKit code still needs further improvements before we can ship it," one Chromium developer wrote in a bug report for MathML.
Other browsers, such as Safari and Firefox, support MathML: Users can test how a specific browser handles MathML with this page.
Users can download Chrome 25 from Google's website. Active users can simply let the automatic updater retrieve the new edition.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about internet in Computerworld's Internet Topic Center.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- Hybrid IT Service Management: A Requirement for Virtualisation and Cloud Computing
- IDC: Delivering Customer Value with Enterprise Flash Deployments
- Leading Through Connections – Insights from the Global Chief Executive Officer Study
- How Web Security Improves Productivity and Compliance
- Russian Underground 101
Skill shortages? Not if you pay or train
Dell replays Windows 8 blame card as PC sales slide
Telstra continues with billion dollar 4G plan
What’s life really like on the NBN? (Part II)
40 years ago, Ethernet's fathers were the startup kids