Google is out with its first major stable Chrome browser release of 2012. The Chrome 17 browser extends security for users by offering new malware scanning capabilities and patches for at least 20 security vulnerabilities.
Chrome 17 now scans browser downloads to search for malicious executable files. The executable scanning capabilitiy is an extension of Google’s Safe Browsing technology that first debuted in Mozilla Firefox 2.0 in 2006, several years before Chrome even existed. Safe Browsing initially helped to protect users against known bad websites and has improved over the years. With Chrome 17, Safe Browsing checks user-downloaded executable files against a Google list of known good publishers and files to help alert users to potential malware.
“If the executable doesn’t match a whitelist, Chrome checks with Google for more information, such as whether the website you’re accessing hosts a high number of malicious downloads,” Google software engineers Noe Lutz wrote in a blog post.
Google is also improving security in Chrome 17 by way of at least 20 security patches that fix a range of issues. In total Google is paying security researchers $10,500 in security awards for the reported discoveries. Google pays security researchers for their discoveries as part of the Chromium Awards Program.
Only one of the flaws in the Chrome 17 release is rated as “critical” by Google. The critical flaw is a race condition after a crash of a utility process. A race condition is a type of software defect where shared data is accessed by multiple concurrent threads without proper data access protection. Race Condition flaws can lead to arbitrary code execution as well as data corruption and crashes.
Seven of the flaws fixed in the Chrome 17 stable release are rated as high priority by Google, with so-called “use-after-free” errors accounting for five of those flaws. Use-after-free vulnerabilities occur when a function or process does not properly relinquish a memory block after use, which can potentially enable an attacker to use the same memory block to launch an attack. The high-severity use-after-free errors fixed in Chrome 17 are in stylesheet error handling, CSS handling, SVG layout, PDF garbage collection, and mousemove events.
Even with all the flaws that were fixed in the stable release, Google noted that additional security flaws were fixed during the development process for Chrome 17. Google did not provide details on the fixed flaws other than to note the fact that they paid out security awards to researchers, including a reward of $3133.70 to security researcher Aki Helin of OUSPG (Oulu University Secure Programming Group).
Next Security Steps for Chrome
Looking ahead to future releases of Chrome, Google researcher Adam Langley has noted that SSL security will be enhanced. In a blog post, Langley explained that Google plans to remove OCSP (the Online Certificate Status Protocol). OCSP is a method by which a browser can check whether an SSL certificate is valid. The OCSP approach is faulty according to Langley and he noted that all the major browsers including Microsoft IE, Mozilla Firefox, and Opera today send a software update instead of using OCSP to deal with bad SSL certificates.
“While the benefits of online revocation checking are hard to find, the costs are clear: online revocation checks are slow and compromise privacy,” Langley wrote.