Google Adds Download Defense to Chrome, Patches 15 Bugs
Google on Tuesday updated Chrome to version 12, adding a new tool that warns users when they've downloaded files from dangerous Web sites.
The company also patched 15 bugs in the browser and paid out nearly $10,000 in bounties to outside researchers who reported vulnerabilities to its security team.
New to Chrome 12 is a feature that flags dodgy files pulled from the Web. Chrome now shows an alert when users download some file types from sites that are on the Safe Browsing API (application programming interface) blacklist, which Google maintains.
The messages reads: "This file is malicious. Are you sure you want to continue?"
If they wish, users can ignore the warning and save the file to their system's hard drive.
"This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API," said Google last April when it debuted the feature in an earlier edition of Chrome.
Safe Browsing already identifies suspicious or unsafe sites, then adds them to a blacklist. Chrome, Mozilla's Firefox and Apple's Safari all tap into Safe Browsing to warn users of risky sites before they actually visit them.
But by expanding its use of Safe Browsing to signal users of not just malicious sites, but also the downloads that come from them, Google is following in Microsoft's footsteps.
Internet Explorer 9 (IE9), which launched in mid-March, uses something Microsoft calls "SmartScreen Application Reputation" to rank the probability that a download is legitimate software. Files that don't appear legit trigger a warning if users try to run or save them after downloading.
The new tools within IE9 and Chrome have been applauded by security researchers because hackers don't always rely on exploits to plant malware on machines. They are often able to trick uses into doing their work for them.
Fake antivirus software, called "scareware," is a good example. Malicious sites make visitors believe their PCs are infected, and then pitch them worthless security software that can supposedly clean their computer.
Some Mac users got a first hand look at scareware last month when an experienced gang that had worked the Windows side of the street kicked off an aggressive campaign to also sell fake Mac antivirus software.
Other improvements in Chrome 12 include additional support for hardware-accelerated 3-D graphics in Windows Vista, Windows 7 and Mac's Snow Leopard.
It also supports Adobe Flash's new settings that let users decide if they want sites to track them with Flash cookies , also called "Local Stored Objects" (LOB).
Users can now delete Flash cookies when they clear other browser data by checking an option in Chrome's preferences panel. (The new setting is in the "Under the Hood" section of the panel; to clear LOBs, click the "Clear Browser Data" button beside the Privacy label, and check the "Delete cookies and other site and plug-in data" box.)
IE9 and Firefox already support the LOB-deletion changes to Flash 10.3, but Apple Safari users will have to wait until next month, when Safari 5.1 ships with Mac OS X 10.7, aka Lion.
Tuesday's update also fixed 15 vulnerabilities in Chrome. Six were rated "high," the second-most-severe ranking in Google's threat system; six were ranked "medium"; and three were tagged as "low."
None of the vulnerabilities was pegged as "critical," the category reserved for bugs that may let an attacker escape Chrome's anti-exploit sandbox. Google has patched several critical bugs this year, including two in April.
Four of the 15 vulnerabilities were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code, while two others were labeled "same origin bypass" vulnerabilities. Those bugs could be used to steal sensitive information contained in legitimate sites open in the browser by tricking users into visiting malicious URLs at the same time.
As it always does, Google locked the Chrome bug-tracking database to prevent outsiders from reading up on the patched vulnerabilities. The company bars the public from the database to give users time to update, sometimes waiting months before removing the blocks.
For example, none of the descriptions for the 27 bugs Google patched in late April can yet be accessed by the public.
The company paid out $9,870 in bounties to five researchers who reported eight of the vulnerabilities, including $4,633 to frequent contributor Sergey Glazunov. Another researcher identified only as "miaubiz," took home $3,000 for his or her efforts.
Glazunov was awarded Google's top-money bounty of $3,133 for finding a bug that when accompanied by several lesser vulnerabilities ended up classified by Google as "critical impact."
In January, Glazunov became the first outside researcher to win Google's biggest bounty . So far this year, Google has spent more than $88,000 on bug bounties.
Of the major browser makers, only Google and Mozilla pay bounties to independent security researchers.
Chrome 12 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about browsers in Computerworld's Browsers Topic Center.