In addition to all new Chrome 12 Stable new features (see Chrome 12 blogpost), there are several great Chrome OS improvements including:

• New localization
• Flash 10.2.158.27
• Power Management optimization
• Audio fixes

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [$1000] [77493] Medium CVE-2011-2345: Out-of-bounds read in NPAPI string handling. Credit to Philippe Arteau.
• [$1000] [84355] High CVE-2011-2346: Use-after-free in SVG font handling. Credit to miaubiz.
• [$1000] [85003] High CVE-2011-2347: Memory corruption in CSS parsing. Credit to miaubiz.
• [$500] [85102] High CVE-2011-2350: Lifetime and re-entrancy issues in the HTML parser. Credit to miaubiz.
• [$500] [85177] High CVE-2011-2348: Bad bounds check in v8. Credit to Aki Helin of OUSPG.
• [$1000] [85211] High CVE-2011-2351: Use-after-free with SVG use element. Credit to miaubiz.
• [$1000] [85418] High CVE-2011-2349: Use-after-free in text selection. Credit to miaubiz.

 

The Google Chrome team is happy to announce the release of Chrome 12 to the Stable Channel for all platforms.  Chrome 12.0.742.91 includes a number of new features and updates, including:

• Hardware accelerated 3D CSS
• New Safe Browsing protection against downloading malicious files
• Ability to delete Flash cookies from inside Chrome
• Launch Apps by name from the Omnibox
• Integrated Sync into new settings pages
• Improved screen reader support
• New warning when hitting Command-Q on Mac
• Removal of Google Gears

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

• [$2000] [73962] [79746] High CVE-2011-1808: Use-after-free due to integer issues in float handling. Credit to miaubiz.
• [75496] Medium CVE-2011-1809: Use-after-free in accessibility support. Credit to Google Chrome Security Team (SkyLined).
• [75643] Low CVE-2011-1810: Visit history information leak in CSS. Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability Research (MSVR).
• [76034] Low CVE-2011-1811: Browser crash with lots of form submissions. Credit to “DimitrisV22”.
• [$1337] [77026] Medium CVE-2011-1812: Extensions permission bypass. Credit to kuzzcc.
• [78516] High CVE-2011-1813: Stale pointer in extension framework. Credit to Google Chrome Security Team (Inferno).
• [79362] Medium CVE-2011-1814: Read from uninitialized pointer. Credit to Eric Roman of the Chromium development community.
• [79862] Low CVE-2011-1815: Extension script injection into new tab page. Credit to kuzzcc.
• [80358] Medium CVE-2011-1816: Use-after-free in developer tools. Credit to kuzzcc.
• [$500] [81916] Medium CVE-2011-1817: Browser memory corruption in history deletion. Credit to Collin Payne.
• [$1000] [81949] High CVE-2011-1818: Use-after-free in image loader. Credit to miaubiz.
• [$1000] [83010] Medium CVE-2011-1819: Extension injection into chrome:// pages. Credit to Vladislavas Jarmalis, plus subsequent independent discovery by Sergey Glazunov.
• [$3133.7] [83275] High CVE-2011-2332: Same origin bypass in v8. Credit to Sergey Glazunov.
• [$1000] [83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to Sergey Glazunov.

In addition, we would like to thank David Levin of the Chromium development community, miaubiz, Christian Holler and Martin Barbella for working with us in the development cycle and preventing bugs from ever reaching the stable channel. Various rewards were issued.


We’d also like to call particular attention to Sergey Glazunov’s $3133.7 reward. Although the linked bug is not of critical severity, it was accompanied by a beautiful chain of lesser severity bugs which demonstrated critical impact. It deserves a more detailed write-up at a later date.

You can find out more about Chrome 12 at the official Chrome Blog.  The full list of changes is available in the SVN revision logs (Trunk, Branch).  Interested in switching to the Stable channel?  Find out how.  If you find a new issue, please let us know by filing a bug.

 

Security fixes and rewards:

This version also contains Flash Player 10.3 which is an incremental release with improved stability, enhanced security and user privacy protection, and new capabilities for enterprises and developers. For more information, see the Adobe Flash Player release notes. 

 

The Beta and Stable channels have been updated to 11.0.696.65 for the Macintosh, Windows, Linux and Chrome Frame platforms

The following bugs were fixed:

• After deleting bookmarks on the Bookmark managers, the bookmark bar doesn't display properly with existing bookmarks. (Issue 80580).
• About Google Chrome window shows unknown channel for 11.0.696.57 (Issue 80683).
• Chrome/Mac seems to clobber focus when uploading attachments to Gmail with the flash-based uploader (Issue 77172).
• Also included is an updated version of Flash Player 10.2.

The Beta and Stable channels have been updated to 11.0.696.60 for the Windows platform

If you find new issues, please let us know by filing a bug.

Want to change to another Chrome release channel? Find out how.

 

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

We’re pleased to associate a record $16,500 of rewards with this patch.

• [61502] High CVE-2011-1303: Stale pointer in floating object handling. Credit to Scott Hess of the Chromium development community and Martin Barbella.
• [70538] Low CVE-2011-1304: Pop-up block bypass via plug-ins. Credit to Chamal De Silva.
• [Linux / Mac only] [70589] Medium CVE-2011-1305: Linked-list race in database handling. Credit to Kostya Serebryany of the Chromium development community.
• [$500] [71586] Medium CVE-2011-1434: Lack of thread safety in MIME handling. Credit to Aki Helin.
• [72523] Medium CVE-2011-1435: Bad extension with ‘tabs’ permission can capture local files. Credit to Cole Snodgrass.
• [Linux only] [72910] Low CVE-2011-1436: Possible browser crash due to bad interaction with X. Credit to miaubiz.
• [$1000] [73526] High CVE-2011-1437: Integer overflows in float rendering. Credit to miaubiz.
• [$1000] [74653] High CVE-2011-1438: Same origin policy violation with blobs. Credit to kuzzcc.
• [Linux only] [74763] High CVE-2011-1439: Prevent interference between renderer processes. Credit to Julien Tinnes of the Google Security Team.
• [$1000] [75186] High CVE-2011-1440: Use-after-free with tag and CSS. Credit to Jose A. Vazquez.
• [$500] [75347] High CVE-2011-1441: Bad cast with floating select lists. Credit to Michael Griffiths.
• [$1000] [75801] High CVE-2011-1442: Corrupt node trees with mutation events. Credit to Sergey Glazunov and wushi of team 509.
• [$1000] [76001] High CVE-2011-1443: Stale pointers in layering code. Credit to Martin Barbella.
• [$500] [Linux only] [76542] High CVE-2011-1444: Race condition in sandbox launcher. Credit to Dan Rosenberg.
• [76646] Medium CVE-2011-1445: Out-of-bounds read in SVG. Credit to wushi of team509.
• [$3000] [76666] [77507] [78031] High CVE-2011-1446: Possible URL bar spoofs with navigation errors and interrupted loads. Credit to kuzzcc.
• [$1000] [76966] High CVE-2011-1447: Stale pointer in drop-down list handling. Credit to miaubiz.
• [$1000] [77130] High CVE-2011-1448: Stale pointer in height calculations. Credit to wushi of team509.
• [$1000] [77346] High CVE-2011-1449: Use-after-free in WebSockets. Credit to Marek Majkowski.
• [77349] Low CVE-2011-1450: Dangling pointers in file dialogs. Credit to kuzzcc.
• [$2000] [77463] High CVE-2011-1451: Dangling pointers in DOM id map. Credit to Sergey Glazunov.
• [$500] [77786] Medium CVE-2011-1452: URL bar spoof with redirect and manual reload. Credit to Jordi Chancel.
• [$1500] [79199] High CVE-2011-1454: Use-after-free in DOM id handling. Credit to Sergey Glazunov.
• [79361] Medium CVE-2011-1455: Out-of-bounds read with multipart-encoded PDF. Credit to Eric Roman of the Chromium development community.
• [79364] High CVE-2011-1456: Stale pointers with PDF forms. Credit to Eric Roman of the Chromium development community.

We would also like to thank miaubiz, kuzzcc, Sławomir Błażek, Drew Yao and Braden Thomas of Apple Product Security and Christian Hollier for working with us during the development cycle and helping prevent bugs from ever reaching the stable channel.

 

Security fixes and rewards:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

The Chrome Stable and Beta channels have been updated to 10.0.648.151 for Windows, Mac, Linux and Chrome Frame.  This release blacklists a small number of HTTPS certificates.  If you find new issues, please let us know by filing a bug. Want to change to another Chrome release channel? Find out how.

 

Jason Kersey

Google Chrome