Android is great on smartphones and tablets, but it could work on the desktop? One critical missing part has been multi-user support, but thanks to clues in the code we now know that multi-user Android support is on its way.
Last year, we posted on the Google Online Security Blog about our desire to end mixed scripting vulnerabilities. A “mixed scripting” vulnerability affects HTTPS websites that are improperly implemented; these vulnerabilities are serious because they eliminate most of the security protections afforded by HTTPS. All web browsers have historically taken it upon themselves to try and work around these bugs by informing or protecting users in some way.
With the recent release of Chrome 21, we’ve taken several steps forward:
- We continue to protect end users by blocking mixed scripting conditions by default, but we now do it in a way that is less intrusive. This change minimizes “security dialog fatigue” and reduces the likelihood that users will expose themselves to risk by clicking through the warning.
- We’ve improved resistance to so-called “clickjacking” attacks. Electing to run any mixed script is now a two-click process.
- We now silently block mixed scripting conditions for websites that opt in to the HSTS security standard. This is the strongest default protection available.
If you visit a non-HSTS web site with a mixed scripting condition, a new shield icon in the omnibox (to the right, next to the star) indicates that Chrome’s protection has kicked in:
You can click on the shield to see the option to run the mixed script, but we don’t recommend it. Instead, if you see the shield icon, we recommend contacting the website owners to make sure they know they may have a security vulnerability.
It has been an interesting journey to get to this point. For about a year, we blocked mixed scripting by default on Chrome’s Dev and Beta channel releases. Rolling out the block to Stable was more challenging because of widespread mixed scripting across the web. To move forward, we turned blocking on for certain web sites, starting with google.com. Later, we reached out to and then collaborated with twitter.com and facebook.com to opt them into blocking, too. All these websites hold themselves to a high standard of security, so this approach worked well. We later took the additional step of opting in sites to mixed script blocking for any site using the HSTS standard.
We bit the bullet and let full mixed script blocking for all sites hit Stable back in Chrome 19. Predictably, we uncovered a range of buggy web sites, and some users were confused about the “infobar” warning displayed by the older versions of Chrome:
Fortunately—and no doubt driven by the high visibility of this warning—some prominently affected websites were able to deploy quick fixes to resolve their mixed scripting vulnerabilities. This work aligns with one of our Core Security Principles: Make the web safer for everyone. Unfortunately, the warning confused some users, which conflicts with another principle: Don’t get in the way. (We’re sorry for any temporary disruption.)
With Chrome 21, we believe we’ve achieved a good balance between top-flight protection for end users, a pleasant UI experience, and notifications that help buggy websites improve their security.
Highlights of these changes are:
The Chrome team is excited to announce the release of Chrome 21 to the Stable Channel. 21.0.1180.57 for Mac and Linux. 21.0.1180.60 for Windows and Chrome Frame. Chrome 21 contains a number of new features including a new API for high-quality video and audio communication. More detailed updates are available on the Chrome Blog.
Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
- [Linux only]  Medium CVE-2012-2846: Cross-process interference in renderers. Credit to Google Chrome Security Team (Julien Tinnes).
-  Low CVE-2012-2847: Missing re-prompt to user upon excessive downloads. Credit to Matt Austin of Aspect Security.
-  Medium CVE-2012-2848: Overly broad file access granted after drag+drop. Credit to Matt Austin of Aspect Security.
-  Low CVE-2012-2849: Off-by-one read in GIF decoder. Credit to Atte Kettunen of OUSPG.
-          Medium CVE-2012-2850: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-    High CVE-2012-2851: Integer overflows in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-  High CVE-2012-2852: Use-after-free with bad object linkage in PDF. Credit to Alexey Samsonov of Google.
-  Medium CVE-2012-2853: webRequest can interfere with the Chrome Web Store. Credit to Trev of Adblock.
-  Low CVE-2012-2854: Leak of pointer values to WebUI renderers. Credit to Nasko Oskov of the Chromium development community.
-  High CVE-2012-2855: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
-   High CVE-2012-2856: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
- [$1000]  High CVE-2012-2857: Use-after-free in CSS DOM. Credit to Arthur Gerkis.
- [$1000]  High CVE-2012-2858: Buffer overflow in WebP decoder. Credit to Jüri Aedla.
- [Linux only]  Critical CVE-2012-2859: Crash in tab handling. Credit to Jeff Roberts of Google Security Team.
-  Medium CVE-2012-2860: Out-of-bounds access when clicking in date picker. Credit to Chamal de Silva.
Many of the above bugs were detected using AddressSanitizer.
We’d also like to thank Drew Yao / Braden Thomas / Jim Smith (all Apple Product Security), Kostya Serebryany of the Chromium development community, Atte Kettunen of OUSPG and Bernhard Bauer of the Chromium development community for working with us during the development cycle and preventing security regressions from ever reaching the stable channel.
This build contains a number of stability improvements.
Some highlights of these changes are:
- Fixed 133988: Network dropdown in the first screen when setting up the network may not show the entire list of networks.
- Fixed 31651: Disabling 3G mobile data on the system would cause it to become permanently disabled.
- Fixed issue with Enterprise customers being unable to enroll due to a timezone mismatch issue.
Chrome now includes the getUserMedia API, which lets you grant web apps access to your camera and microphone without a plug-in. The getUserMedia API is the first step in WebRTC, a new real-time communications standard which aims to allow high-quality video and audio communication on the web.
The getUserMedia API also allows web apps to create awesome new experiences like Webcam Toy and Magic Xylophone. In Chrome Web Lab, if you're on the latest version of Chrome, the Sketchbots experiment uses getUserMedia to let you take a picture of your face, which is then converted to a line drawing and sent to a robot in the Science Museum in London. The robot then draws out your portrait in a patch of sand, which you can watch live on YouTube and visitors can watch in person at the museum. It’s just about as crazy as it sounds, and twice as cool.
Once you've taken your picture, it's transformed into a line drawing a robot can understand using HTML5 canvas.
The Beta channel has been updated to 21.0.1180.60 for Windows and Chrome Frame
This build should fix most of the choppy and distorted audio issues (Issue: 136624). If you've seen these issues with the Beta, please leave us an update on the bug.
If you find new issues, please let us know by filing a bug at http://code.google.com/p/chromium/issues/entry
The Dev channel has been updated to 22.0.1221.0 for Windows and Mac (Update: also 22.0.1221.1 for Linux). This update has an updated version of V8 (220.127.116.11) along with other improvements. A complete log of what changed can be found in the svn revision log. Instructions and download links for our different release channels are available on the Chromium wiki. If you find what you think is a new bug, please file it in our issue tracker.
This is quite some way from being usable, so don’t get too excited, but I wanted to share where I’m up to with porting Chromium OS to the Raspberry Pi. Here’s a shot of a Pi running Chromium OS sat at the login screen:
A little under two weeks ago, I began offering Chromium binaries that run on the Pi. Using these same patches, plus the Raspberry Pi overlay that made it into the Chromium OS source tree some weeks ago, I’ve built an image that will run on the Raspberry Pi. By run, I mean you can boot up and browse pages. Browse them really, really slowly. This is because there’s no graphical acceleration, once we have that in place I expect this to run reasonably well.
I’m chipping away at adding in the required code to have the UI GPU accelerated, but it’s really not an area I know much about and so progress is slow. If you’re interested in getting this running, I may possibly set up some kind of bounty to get the code written, get in touch with me for more details (contact details are linked at the top of this page, @Hexxeh is usually best). My current plan is to remove X from the stack completely and run Chromium directly. However, this means making Chromium dispman aware, which is easier said than done.
Given the state that this is in, I’m not going to be providing an image, since it’s really so slow it’s not of use to anyone. The code is all publicly available, though, so somebody else could. Hopefully somebody will actually improve the state of things rather than releasing this raw version.
Google launched Android 4.1 on the Asus-developed (but Google branded) Nexus 7 in part to reassure OEMs that they will be treated equally in the aftermath of its Motorola Mobility purchase. Maybe Google really did spend $12 plus billion for the Motorola patents, but users are still awaiting the more full featured iPad2 killer from Google. Will it be Jelly Bean on Motorola's Xoom?.
The Beta channel has been updated to 21.0.1180.57 for Windows, Mac, Linux and ChromeFrame platforms
Highlights of these changes are:
Google Chrome offers its users several options when it comes to clearing the browsing data. One of the quickest ways is to use the Ctlr-Shift-Del shortcut to bring up the clear browsing data menu where you can select the data types that you want to delete (Firefox users: the same shortcut is opening the browser’s delete browsing data menu as well).
Besides selecting what you want to delete, you can also select from which point in time on you want the items to be cleared.If you prefer to use the mouse, you can click on the wrench icon, and then on Tools > Clear Browsing Data to open the same menu this way.
It is rather interesting that Chrome does not ship with options to automatically clear all browsing data on exit. While it is possible to delete all cookies and site-data, it currently does not seem possible to delete all data on exit.
You need to use browser extensions or third party programs like CCleaner to automatically delete Google Chrome browsing data. One of the extensions that you can use for that purpose is Click&Clean which offers a rich functionality.
Here is the list of data that it can clean automatically when the browser window is closed:
- Browsing history
- Download history
- Browser cache
- Local Storage
- SQL databases
- Indexed databases
- File system
- Application cache
- Web applications data
- Reset search engines
- Reset zoom levels
- Saved form data
- Saves passwords
- Extensions cookies
- Extensions Local Storage
- Extensions SQL databases
- Extensions indexed databases
- Extensions file system
- Google Gears data
- Reset Chrome Local State
Plus the following that are not Chrome specific:
- Recycle Bin
- Temporary files
- Recently opened files
- Flash Local Shared Objects (LSO)
- Silverlight Cookies
- Java Cache
You can furthermore select to delete the data using secure overwrites to protect the data against file recovery attempts, configure Click&Clean to run an external application like CCleaner or Eraser, and whitelist cookies and site data to block the data from being deleted with the rest of the data.
It is not really clear why Google is not integrating an option to delete all browsing data on exit in the Chrome browser.
The Click&Clean extension for the browser makes more than up for it though, and it is recommended to anyone who wants that feature to be available in the browser.
The Beta channel has been updated to 21.0.1180.55 for Windows, Mac, Linux and ChromeFrame platforms
The Beta channel has been updated to 22.0.1215.0 (Platform versions: 2650.0.0) for Chromebooks (Acer AC700, Samsung Series 5, and Cr-48). This release contains functional and stability improvements.
Highlights of these changes are:
- UI improvements on start and lock screens
- 32909 - Purchasing additional data for a Verizon 3G account is currently not functioning. Workaround: Contact Verizon to purchase additional data.
- 32766 - Cr-48 machines will go through the out of box sign-up experience after this update, however all data and settings on the machine will be preserved.
- 32906 - Cr-48 machines fail to save new users where the new user is created and the system is not restarted prior to the next autoupdate. Workaround: After creating a new user, reboot the system and check that the user still exists.
- 32922 - Connected hidden network is unavailable immediately after resume. Workaround: Wait several seconds for the network to become available.
- 32923 - OpenVPN with no-OTP does not allow login with a correct username/password.
- 138967 - Photo editor will not complete edit actions.
Chrome: DeadMouse is a Chrome extension that allows you to surf the web with only your keyboard. The idea is simple: if you want to click a link, just start typing it. DeadMouse will show you that you've selected it by making it wiggle on the page. All you have to do is press enter to choose it, tab to select the next option, or delete to cancel your selection. More »
Chrome: It's not too cumbersome to delete your browser history in Chrome (Ctrl-Shift-Del on Windows or ⌘-Shift-Delete on Mac), but it takes a few seconds to check and uncheck boxes to suit your needs. Clear is a Chrome extension that adds an option to the right-click menu to do it instantly. More »
Chrome and Google TV: I recently discovered that Google TV is actually pretty great, and ever since I've been hearing about cool stuff people are doing with the platform. One such example is Chromemote, a Chrome extension that can control your Google TV. More »
Putting aside the issue of Apple not allowing other browsers to bring their own engines to the table in iOS, there's more to a great browser than just its engine, and there are plenty of great browsers for the iPhone and iPad. Deciding which one is the best for you is a matter of taste, but we asked you last week which ones you thought were the best. Then we tallied your nominations and took a look at the top five iOS web browsers and put them to a vote. Now we're back to highlight the winner. More »