A Mini-Newsletter From Your Google Chrome Security Team

Tuesday, March 08, 2011

Labels: ,

We’re always working hard to enhance the Chrome browser with bug fixes, new defenses and new features. The release of Chrome 10 is no different, and there are some items worth highlighting:

Chrome 10: Flash sandboxing
With Chrome 10, our first cut of the previously announced Flash sandboxing initiative is now enabled by default for the Windows platform on Vista and newer. Additionally, because we automatically update Flash to the latest and most secure version, this should provide useful defense in depth.

Chrome 10: Out-of-date plug-in warnings
As we previously mentioned, we believe that some of the most significant opportunities to increase user security revolve around plugins. We’ve made a number of improvements in this area, including actively encouraging users to update their plug-ins to the most secure version. Chrome now detects when a plug-in is out of date and blocks it with a simple infobar. This infobar helps guide the user towards updating their plug-in with the latest security fixes.


Chrome 10: Plug-in blocking enhancements
Some of our more advanced users prefer fine-grained control over which plug-ins they wish to run -- which can have security and privacy benefits. Chrome has long had a feature which blocks plug-ins by default (Wrench menu -> Preferences -> Under the hood -> Content Settings -> Plug-ins). We’ve improved this feature by adding a context menu to the blocked plug-in placeholder. This menu lets users control which plug-ins do and do not run. Using a context menu helps prevent clickjacking attacks that try to bypass the block. Plug-in placeholders can also be hidden (for example, if they are floating over and obscuring real content), and the actual plug-in that wishes to run is made apparent.


Chromium Security Rewards program still going strong
We mentioned in passing in the 9.0.597.107 release notes that our rewards program has passed $100,000 of rewards. We’d like to re-iterate our thanks to all the named researchers in our Hall of Fame. We’re continually delighted with the stream of interesting and clever bugs that we receive, so it will be exciting to see what the rest of 2011 brings. Remember, we love giving out money!

Still hiring!
We are always looking to expand the Google Chrome Security Team, and we’re looking for a wide range of talents. We can promise exciting and varied work, working to protect hundreds of millions of users and working alongside the best in the industry. Why not have a look at our job posting?

Posted by Chris Evans, Google Chrome Security Team, Bernhard Bauer, Software Engineer, and Carlos Pizano, Software Engineer

11 comments:

pkasting said...

One other note for those who like plugin blocking: remember that if you enable "Click to play" in about:flags, you will have a "Click to play" choice in the plugin options between "Run automatically" and "Block all", which, while less secure than "Block all" provides an effective annoyance-reducer with a little more convenience.

March 8, 2011 8:18 PM

panzi said...

While this is all nice, since the update Chrome crashes frequently for me! I can reproduce it by opening 2 YouTube videos in 2 tabs. Unblocking the first, switching to the other tab and unblocking the second. At this point the first YouTube video is frozen (audio still works). When I now close the second tab Chrome freezes completely (though closing it still works, but nothing else). I use Fedora 14 x86_64 with the newest 64bit Linux Flash Plugin (from November) which I manipulated using a script so it uses memmove instead of memcpy in order to fix another bug.

This is most annoying because thats the way I use YouTube: Watch one Video and start preloading the next when the current one is loaded 100%. It's hard to get rid of this habit, so I can restart Chrome for each and every video I watch. :(

March 10, 2011 5:14 AM

s.gopal said...

Why is Flash sandboxing left out for XP ? Will this come in future

March 10, 2011 5:41 AM

gnu-andrew said...

How are you determining if a plugin is outdated or not? I notice that the screenshot shows our IcedTea plugin being checked and would like to know how it's determining whether or not there is a new release.

March 10, 2011 7:23 AM

Jaime said...

I seem to be having a lot of problems with flash games and videos after installing Chrome 10. For instance, Facebook games and Wimp.com videos are not loading correctly. Any thoughts?

March 10, 2011 11:17 AM

Robert said...

Running Windows 7 64 bit. Love chrome, no problems for last couple of years, but since the update the other day, I have spent hours trying to get Chrome working. Deleted everything 4 to five times etc. but still no luck. Guess I will have to unfortunately revert to IE.

March 10, 2011 2:44 PM

dinesh said...

Fantastic post you have here. It is very substantial and informative! Great one.
baby gifts

March 10, 2011 11:12 PM

idiot crow said...

I just recently finished a Tetris game ... it worked in CHROME and SAFARI.

Just today it no longer works in CHROME .... why?

www.goofing-around.com

March 11, 2011 5:28 AM

dinesh said...

new penny bid auctions online


Believe that it’s a very nice & informative you post
Thank you.

March 11, 2011 9:53 PM

harry said...

I keep getting shockwave plugin has crashed what can I do to rectify this

Steve

March 12, 2011 7:41 AM

Kryostorm said...

I too have been getting repeated shockwave and flash crashes since the last update (on Vista 32bit), I used the flash uninstaller from the Adobe site and no more crashes since.

March 12, 2011 9:11 AM

Post a Comment

Subscribe to: Post Comments (Atom)