Chrome 15 goes stable, brings updated New Tab page to the masses

http://www.tcmagazine.com/tcm/news/...oes-stable-brings-updated-new-tab-page-masses

 

Awaiting for portable release.

 

Nothing earth shattering at first glance but new security fixes are always welcome.

tnx for the heads-up m8!

 

Ditto!

 

Yeah, thanks Hungry.

Aghhhh what's happened to the startpage? .... we fear change ...

It's OK really.

 

Cool, I was waiting on this. Thanks for the update.

 

For those interested Chromium has also hit 17.

The most notable change I can see is that HTTP Pipelining support is being implemented.

 

don't much care about security fix since i run it under SB anyway

 

One of them addresses BEAST.

 

Nice. For those not familiar with BEAST, Steve Gibson explains it thoroughly here.

 

Actually the update for BEAST was from a Mozilla update to a shared library. Funnily enough it introduced a remote code execution exploit into Chrome.

http://www.scmagazineus.com/bug-may-enable-remote-code-execution-in-chrome/article/215216/

It's considered a bug and it was already known about. And it is ridiculously hard to implement on the attackers side. I just found it funny.

 

*insert conspiracy theory about Google forcing its search to be used here*

In all seriousness, the scenario that would allow an attack, while it seems to involve a lot..really doesn't involve much at all, minus the attacker controlled location perhaps. All in all, low yes, but also not "crazy unlikely", and therefore, IMHO of course, Google should be a little less nonchalant about it.

 

It's pretty crazy unlikely.

1) The user would have to set the default search engine to something other than Google (which is the default upon installing.)

2) The attacker has to be on your network or have control over something on your network

3) The attack has to trick you into downloading a file


So you have to be already compromised network-wise, download a file, and have changed your browser settings (something maybe 1/10 users does if even.)

 

Oh and if the user has visited an HTTPS site any time that session before the attack it will fail as well.

 

If you think about your typical wired connection, then perhaps. Throw your typically insecure wireless connection into the mix, and you might have some trouble. Besides, let's take some guesses as to how many systems out there have a rootkit/botnet hiding on them. We know that's a pretty high number, so there is your compromised network (along with the possibility of someone hooking into your wireless network). So, the compromised network isn't "crazy unlikely". We also have the search engine, okay, sure, not that many people will bother switching, I get that.

However, it's a single click to change it, and there are a good number of Bing users (and other search engine users as well..think of the privacy folks here who tout IXQuick and others). So, a single click and already plenty of alternative search engine users..not so "crazy unlikely".

Not visiting an HTTPS website? Unless you are shopping, or on a government website, using secure search and limited other things, you aren't visiting an HTTPS website. Not "crazy unlikely".

Let's get to the part of tricking people into downloading something...actually, let's stop before we start, as there is no sense in even attempting to call that "crazy unlikely".

Do you see why I'm disagreeing a bit here? The most unlikely of these factors is the changing of the default search engine. That's not a scenario I'd be comfortable blowing off if I were Google, especially if it cracks the almighty sandbox that they rely heavily on to deem their browser "un-exploitable".

 

Oh Bollocks, the first thing I do when I download Chrome is to change the default to Duck Duck Go SSL.

 

The scenario really has to be fairly set up. I just don't feel it's very likely at all. Something like 20% people use Chrome. Maybe 5% of Chrome users change their default browser (I'm going by how many people install adblocking extensions) and of those 5% maybe another 1% are on compromised networks. Even if every single one of those unlucky few falls for the socially engineered malware those are some ridiculously low numbers.


I mean, it constitutes an issue for sure but as the Chromium dev says this isn't some "download this file and win 100 dollars" the user has to be compromised to begin with and they have to have changed the default browser settings.

 

Do you honestly believe other people do this? lol

It may seems obvious to you, as obvious as installing adblock, but to 95% of the population it never occurs to them.

In fact I'd bet that less people change their default search engine than install adblock.

 

Ermmm ... not in my case ... please tell me changing it to Duck Duck Go SSL wasn't a mistake.

Firefox is looking more secure than Chrome every second that passes these days ...

 

Not unless you already believe your network/computer to be compromised and plan on downloading specific malware for this bug.

Ironic... hilariously so considering that the bug was introduced by Mozilla's devs...

 

Does this officially qualify me as a browser nerd then? If it does, it is most excellent.

 

You're in the top 1% =p

 

I think I'll be OK.

*Adopts Charlton Heston voice* "Damn those Mozilla devs ... damn them all to hell ... "

It's back to Opera then!

 

Cool.

 

If you're worried about exploits Opera's the last one I'd go to.

I wouldn't blame the Mozilla devs, it's an open source project and Chromium team made the decision to use some of that code.

But to go to Firefox over this would be really funny considering it's their code that introduced the bug.