The Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We’ve been very pleased with the response: Google’s various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, we’ve seen a significant drop-off in externally reported Chromium security issues. This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.
Therefore, we’re making the following changes to the reward structure:
- Adding a bonus of $1,000 or more on top of the base reward for bugs in stable areas of the code base—see below for an example. By “stable”, we mean that the defect rate appears to be low and we think it’s harder to find a security bug in the area.
- Adding a bonus of $1,000 or more on top of the base reward for serious bugs which impact a significantly wider range of products than just Chromium. For example, certain open source parsing libraries—see below for an example.
The rewards panel has always reserved the right to reward at our discretion. At times, rewards have reached the $10,000 level for particularly significant contributions. An extraordinary contribution could be a sustained level of bug finding, or even one individual impressive report. Examples of individual items that might impress the panel include:
- Nvidia / ATI / Intel GPU driver vulnerabilities. High or critical severity vulnerabilities in the respective Windows drivers, demonstrated and triggered from a web page. Submissions on Chrome OS would also be interesting. Chrome OS typically runs on a device with an Intel GPU.
- Local privilege escalation exploits in Chrome OS via the Linux kernel. Chrome OS has a stripped-down kernel, so a working exploit against it would certainly be worth examining. We reserve the right to reward more generously if the exploit works inside our “setuid sandbox” and / or our fast-evolving “seccomp BPF sandbox”.
- Serious vulnerabilities in IJG libjpeg. For well over a decade, there hasn’t been a serious vulnerability against IJG libjpeg. Can one be found?
- 64-bit exploits. Any working code execution exploit on a 64-bit Chrome release. Sandbox escape not required.
- Renderer to browser exploit. Any working browser code execution exploit, starting from the assumed precondition of full code execution inside a normal web renderer or PPAPI process.
Aside from the new bonuses, it’s worth recapping some details of the existing reward structure that aren’t as widely known:
- Our reward program covers vulnerabilities in Adobe Flash as well as other well-known software such as the Linux kernel, various open-source libraries and daemons, X windows, etc.
- Our base reward is $2,000 for well-reported UXSS bugs, covering both the Chromium browser and also Adobe Flash. (With the new reward bonus for exploitability, UXSS rewards will likely become $4,000.)
- Our reward program already includes a bonus of $500 to $1,000 when the reporter becomes a more involved Chromium community member and provides a peer-reviewed patch.
- We have always considered rewards for regressions affecting our Beta or Dev channel releases. It’s a big success to fix security regressions before they ship to the Stable channel.
To illustrate how the new reward bonuses will work, we’re retroactively applying the bonuses to some older, memorable bugs:
- $1,000 to Atte Kettunen of OUSPG for bug 104529 (new total: $2,000). We believe that our PDF component is one of the more secure (C++) implementations of PDF, hence the $1,000 top-up.
- $3,000 to Jüri Aedla for bug 107128 (new total: $4,000). There is a $1,000 bonus because this bug affects many projects via core libxml parsing, and we added a $2,000 bonus for exploitability: this is a heap-based buffer overflow involving user-controlled data with a user-controlled length.
We’re more excited than ever to work with the community and reward their efforts.
This man is safe, for now…
Chrome: Google Chrome has a built-in speech recognition system, but you can only use it in certain places. Dictation is a webapp that uses Chrome's speech recognition engine, but allows you to dictate much larger chunks of text right inside a simple webapp. More »
Windows and Linux only. Thanks to a sharp focus, Google Chrome engineers are able to work just on a few, rather than dozen features at the same time, delivering stable rather than clunky web experience. Now, according to the recent blog post, the latest final build of the Google Chrome 21 web browser improves something [...]
Just over a month ago, at Google I/O, we announced significant changes to Chrome’s packaged application platform. These changes are intended to allow apps to break out of the browser, work offline by default, and enable richer, more immersive experiences.
With the latest version of Chrome in the developer channel, you can build, load, debug and test your apps without command-line flags, although you may need to enable experimental APIs in some cases. Because we’re still in developer preview mode, the Chrome Web Store doesn’t yet accept uploads of these new packaged apps. We’ll enable web store support later this year, and when we flip that switch, users will be able to discover and download your apps directly from the store.
In order to get started building apps, visit our developer documentation at developer.chrome.com/apps and check out our growing list of sample applications on Github (thanks for the pull requests; keep them coming). If you’d like to reach us while you’re building apps, you can join us on the #chromium-apps Freenode IRC channel, join the chromium-apps group or report an issue.
We’re also starting a regular weekly hangout every Tuesday at 9:30am (Pacific Time). Our first one will take place on Tuesday, August 14th. You can add a reminder to your calendar and then tune in at Google Developers Live. And be sure to add +Google Chrome Developers to your circles to keep up on the latest from the Chrome team.
July, 2012 Desktop Market Share: Firefox, Safari - Up; Internet Explorer, Google Chrome, Opera - Down
Another month, another market share report and this time it’s for the desktop web browsers. With the upcoming release of IE10, Internet Explorer continues to lose its market share, down from 54.02% to 53.93% (0.09 point decrease). After a streak of market share loses, it looks like Firefox has recovered and has since increased its [...]
A little more than two years ago, engineers on the Chrome team began a very ambitious project. In coordination with Adobe, we started porting Flash from the aging NPAPI architecture to our sandboxed PPAPI platform. With last week’s Chrome Stable release, we were finally able to ship PPAPI Flash to all Windows Chrome users, so they can now experience dramatically improved security and stability as well as improved performance down the line.
To appreciate just what a big step forward this is, it helps to understand a bit more about the history and architecture of NPAPI plug-ins. At its core, NPAPI is a thin layer of glue between the web browser and a native application. In the early days of the Web this provided a tremendous advantage, because it allowed third-party plug-ins to evolve rapidly and implement new capabilities, moving the whole web forward.
Unfortunately, as the web evolved, the past benefits of NPAPI became liabilities. The thinness allowed legacy browser and OS behavior to bleed through and crystallize to the point that it hamstrung future improvements. As browsers add compelling features like sandboxing, GPU acceleration, and a multi-process architecture, the legacy of NPAPI severely impedes or outright prevents us from extending those improvements to any pages with plug-in content.
By porting Flash to PPAPI we’ve been able to achieve what was previously impossible with NPAPI for the 99.9% of Chrome users that rely on Flash. Windows Flash is now inside a sandbox that’s as strong as Chrome’s native sandbox, and dramatically more robust than anything else available. And for the first time ever, Windows XP users (specifically, over 100 million Chrome users) have a sandboxed Flash—which is critical given the absence of OS support for security features like ASLR and integrity levels.
Beyond the security benefits, PPAPI has allowed us to move plug-ins forward in numerous other ways. By eliminating the complexity and legacy code associated with NPAPI, we’ve reduced Flash crashes by about 20%. We can also composite Flash content on the GPU, allowing faster rendering and smooth scrolling (with more improvements to come). And because PPAPI doesn’t let the OS bleed through, it’s the only way to use all Flash features on any site in Windows 8 Metro mode.
Moving forward, we’re finishing off the PPAPI Flash port for Mac OS X and hope to ship it soon. And Linux users have already been benefiting from PPAPI Flash since Chrome 20, along with Chrome OS users who have been running it for almost a year. Soon all Chrome users will have access to the improved security, stability, and performance of PPAPI Flash.
One of the great things about the web is that you can hop from page to page watching videos, playing games, or checking email without installing additional software that may pose a security risk to your computer. On the Chrome team, we’ve made it our mission to build a browser that helps protect you every step of the way, defending against pages that try to install malware or steal information without your knowledge.
Some of the most important things keeping you safe in Chrome are Safe Browsing, auto-updates, and sandboxing. Our goal is to improve each of these features, staying ahead of the bad guys to help keep you safe online.
With last week’s Chrome Stable update, we took a major step forward in security by bringing an even deeper level of sandbox protection to Adobe Flash Player on Windows. Since 2010, we’ve been working with Adobe to sandbox the Flash Player plug-in to protect users against common malware. Now, thanks to a new plug-in architecture, Flash on Windows is inside a sandbox that’s as strong as Chrome’s native sandbox, and dramatically more robust than anything else available. And for the first time ever, Windows XP users have a sandboxed Flash, making them much safer online.
Chrome OS has had this deeper Flash sandboxing from the beginning, Linux has had it since Chrome’s last stable release, and Mac support is on the way. Ultimately, this means a safer experience for you as you browse the web. We take the security of Chrome extremely seriously, so we’re excited to be delivering these enhanced protections, and we’ve enjoyed collaborating with Adobe on this effort.
Last year, we posted on the Google Online Security Blog about our desire to end mixed scripting vulnerabilities. A “mixed scripting” vulnerability affects HTTPS websites that are improperly implemented; these vulnerabilities are serious because they eliminate most of the security protections afforded by HTTPS. All web browsers have historically taken it upon themselves to try and work around these bugs by informing or protecting users in some way.
With the recent release of Chrome 21, we’ve taken several steps forward:
- We continue to protect end users by blocking mixed scripting conditions by default, but we now do it in a way that is less intrusive. This change minimizes “security dialog fatigue” and reduces the likelihood that users will expose themselves to risk by clicking through the warning.
- We’ve improved resistance to so-called “clickjacking” attacks. Electing to run any mixed script is now a two-click process.
- We now silently block mixed scripting conditions for websites that opt in to the HSTS security standard. This is the strongest default protection available.
If you visit a non-HSTS web site with a mixed scripting condition, a new shield icon in the omnibox (to the right, next to the star) indicates that Chrome’s protection has kicked in:
You can click on the shield to see the option to run the mixed script, but we don’t recommend it. Instead, if you see the shield icon, we recommend contacting the website owners to make sure they know they may have a security vulnerability.
It has been an interesting journey to get to this point. For about a year, we blocked mixed scripting by default on Chrome’s Dev and Beta channel releases. Rolling out the block to Stable was more challenging because of widespread mixed scripting across the web. To move forward, we turned blocking on for certain web sites, starting with google.com. Later, we reached out to and then collaborated with twitter.com and facebook.com to opt them into blocking, too. All these websites hold themselves to a high standard of security, so this approach worked well. We later took the additional step of opting in sites to mixed script blocking for any site using the HSTS standard.
We bit the bullet and let full mixed script blocking for all sites hit Stable back in Chrome 19. Predictably, we uncovered a range of buggy web sites, and some users were confused about the “infobar” warning displayed by the older versions of Chrome:
Fortunately—and no doubt driven by the high visibility of this warning—some prominently affected websites were able to deploy quick fixes to resolve their mixed scripting vulnerabilities. This work aligns with one of our Core Security Principles: Make the web safer for everyone. Unfortunately, the warning confused some users, which conflicts with another principle: Don’t get in the way. (We’re sorry for any temporary disruption.)
With Chrome 21, we believe we’ve achieved a good balance between top-flight protection for end users, a pleasant UI experience, and notifications that help buggy websites improve their security.
Well, here is something to cheer you up: a new Google Chrome build. As we reported earlier, the following release includes a couple of new features, such as: - Support for the getUserMedia API, which allows web sites to access your mic and camera, high-resolution screens.
Verizon is now allowing third-party tethering apps, Facebook is enforcing the switch to Timeline for all users in the fall, Google Chrome update
Chrome now includes the getUserMedia API, which lets you grant web apps access to your camera and microphone without a plug-in. The getUserMedia API is the first step in WebRTC, a new real-time communications standard which aims to allow high-quality video and audio communication on the web.
The getUserMedia API also allows web apps to create awesome new experiences like Webcam Toy and Magic Xylophone. In Chrome Web Lab, if you're on the latest version of Chrome, the Sketchbots experiment uses getUserMedia to let you take a picture of your face, which is then converted to a line drawing and sent to a robot in the Science Museum in London. The robot then draws out your portrait in a patch of sand, which you can watch live on YouTube and visitors can watch in person at the museum. It’s just about as crazy as it sounds, and twice as cool.
Once you've taken your picture, it's transformed into a line drawing a robot can understand using HTML5 canvas.
Google Chrome offers its users several options when it comes to clearing the browsing data. One of the quickest ways is to use the Ctlr-Shift-Del shortcut to bring up the clear browsing data menu where you can select the data types that you want to delete (Firefox users: the same shortcut is opening the browser’s delete browsing data menu as well).
Besides selecting what you want to delete, you can also select from which point in time on you want the items to be cleared.If you prefer to use the mouse, you can click on the wrench icon, and then on Tools > Clear Browsing Data to open the same menu this way.
It is rather interesting that Chrome does not ship with options to automatically clear all browsing data on exit. While it is possible to delete all cookies and site-data, it currently does not seem possible to delete all data on exit.
You need to use browser extensions or third party programs like CCleaner to automatically delete Google Chrome browsing data. One of the extensions that you can use for that purpose is Click&Clean which offers a rich functionality.
Here is the list of data that it can clean automatically when the browser window is closed:
- Browsing history
- Download history
- Browser cache
- Local Storage
- SQL databases
- Indexed databases
- File system
- Application cache
- Web applications data
- Reset search engines
- Reset zoom levels
- Saved form data
- Saves passwords
- Extensions cookies
- Extensions Local Storage
- Extensions SQL databases
- Extensions indexed databases
- Extensions file system
- Google Gears data
- Reset Chrome Local State
Plus the following that are not Chrome specific:
- Recycle Bin
- Temporary files
- Recently opened files
- Flash Local Shared Objects (LSO)
- Silverlight Cookies
- Java Cache
You can furthermore select to delete the data using secure overwrites to protect the data against file recovery attempts, configure Click&Clean to run an external application like CCleaner or Eraser, and whitelist cookies and site data to block the data from being deleted with the rest of the data.
It is not really clear why Google is not integrating an option to delete all browsing data on exit in the Chrome browser.
The Click&Clean extension for the browser makes more than up for it though, and it is recommended to anyone who wants that feature to be available in the browser.
Chrome: DeadMouse is a Chrome extension that allows you to surf the web with only your keyboard. The idea is simple: if you want to click a link, just start typing it. DeadMouse will show you that you've selected it by making it wiggle on the page. All you have to do is press enter to choose it, tab to select the next option, or delete to cancel your selection. More »
Chrome: It's not too cumbersome to delete your browser history in Chrome (Ctrl-Shift-Del on Windows or ⌘-Shift-Delete on Mac), but it takes a few seconds to check and uncheck boxes to suit your needs. Clear is a Chrome extension that adds an option to the right-click menu to do it instantly. More »
Chrome and Google TV: I recently discovered that Google TV is actually pretty great, and ever since I've been hearing about cool stuff people are doing with the platform. One such example is Chromemote, a Chrome extension that can control your Google TV. More »
Putting aside the issue of Apple not allowing other browsers to bring their own engines to the table in iOS, there's more to a great browser than just its engine, and there are plenty of great browsers for the iPhone and iPad. Deciding which one is the best for you is a matter of taste, but we asked you last week which ones you thought were the best. Then we tallied your nominations and took a look at the top five iOS web browsers and put them to a vote. Now we're back to highlight the winner. More »
Includes some new goodies. Chrome’s developer channel pushed “Packaged Apps” to the v22 builds recently, which allows applications to be launched separately from Chrome (use its own window). Moreover, Packaged Apps have quite a few capabilities as they can interact with network and hardware devices, as well as media apps.
There is not a lot that you can do when Google Chrome starts to slow down after you have used the web browser for a certain period of time. While you could try and delete the browser cache and make some modifications to the browser’s advanced preferences and experimental features, it is usually something that goes deeper than that.
IronCleaner is an Open Source program for the Windows operating system that you can run to clean and speed up Google Chrome, Chromium or SRWare Iron.
All it takes is to download the latest version of the program from its Sourceforge project website and run it from your local system afterwards.
You will notice that it asks you to pick your browser’s directory from the local system which may pose a problem to users who do not really know where it is located. As far as Windows 7 goes, it is located in C:\Users\Martin\AppData\Local\Google\Chrome by default if installed. The program supports portable versions as well.
Once you have selected the browser’s program directory, you should click on the options button to make sure the correct browser version is selected. Here you can also add data that you want to clean-up to the process. You can clean-up the following information and settings:
- Reset the language
- Settings and extensions
It is not necessary to select those though. When you click on the start button you notice that a different set of locations and information are cleaned by the program:
- Cache Folder
- Media Cache Folder
- Temp Folder
- Certificate Revocation List
- Extension Cookies
- Transportation Security
- Quota Manager
- Web Data
Clean-up should not take longer than a couple of minutes tops, and you should make sure that the browser is closed down before you run it on your system.
Please note that the program does not provide you with the means to select the locations and data that should be cleaned. It is either an all or nothing approach which may make the program unusable for users who would prefer to keep some of the data on the system. Programs like CCleaner do also take care of several of the folders that IronCleaner takes care of.
IronCleaner is a free program that is compatible with all recent 32-bit and 64-bit editions of the Microsoft Windows operating system. It requires the Microsoft .Net Framework 4.0 on the system.
Will it really speed-up the browser again? That depends largely on the issues that you are experiencing when using the browser. I would not get my hopes up to high that it will do wonders to the performance of the browser. Then again, if you have accumulated lots of data and not cleaned it previously, you may notice an increase in speed after all.