This article was published on January 10, 2013

Google releases Chrome 24: The browser gets even faster, plugs 24 security holes, and adds MathML


Google releases Chrome 24: The browser gets even faster, plugs 24 security holes, and adds MathML

Google on Thursday released Chrome version 24 for Windows, Mac, and Linux. There are no big new features, just speed improvements and a huge slew of security fixes. You can update to the latest release now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

The biggest improvement on the user side of things is the speed increase. Google’s own Octane JavaScript test shows that this is the fastest Chrome release yet. When the beta came out in November, the company was touting that Chrome had become 26 percent faster on Octane than it was last year. Now it’s even faster.

On the developer side, Google has made sure the HTML 5 datalist element now supports suggesting a date and time and has also added support for MathML. Datalist allows you to specify a list of suggested dates and times for input elements while MathML lets you write mathematical content in a consistent way. Other additions include experimental support for CSS Custom Filters.

Aside from the usual bug fixes, speed enhancements, a new version of V8 and Webkit, here is what Google listed as being new in Chrome version 24, according to its changelog notes on the previous beta and dev updates (added in chronological order):

  • Bookmarks are now searched by their title while typing into the omnibox with matching bookmarks being shown in the autocomplete suggestions pop-down list. Matching is done by prefix. Example: if there is a bookmark with a title of “Doglettes & Catlettes” typing any of the following into the omnibox will likely present the bookmark as a suggestion:: “dog”, “cat”, “cat dog”, “dog cat”, “dogle”, etc. Typing “ogle” or “lettes” will not match.

That’s right; there was only one new feature mentioned as this appears to be largely a cleanup and stability release. We did see, however, a huge number of notes on what issues have been addressed. Bugs related to Flash, speech input, YouTube, the omnibox, bookmark sync, installing extensions, memory leaks, JavaScript rendering, scrolling, and ones specific to Windows 8 have all been squashed. The full SVN revision log has more details.

On the security side, Chrome 24 coincidentally addresses 24 security holes (11 rated High, 8 marked Medium, and 5 considered Low):

  • [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. Credit to Atte Kettunen of OUSPG.
  • [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. Credit to Erling A Ellingsen and Subodh Iyenger, both of Facebook.
  • [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. Credit to José A. Vázquez.
  • [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. Credit to Google Chrome Security Team (Justin Schuh).
  • [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. Credit to Google Chrome Security Team (Chris Evans).
  • [165601] High CVE-2012-5150: Use-after-free when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. Credit to Andreas Rossberg of the Chromium development community.
  • [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. Credit to Google Chrome Security Team (Chris Evans).
  • [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. Credit to Google Chrome Security Team (Julien Tinnes).
  • [162778] High CVE-2012-5156: Use-after-free in PDF fields. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162153] High CVE-2013-0828: Bad cast in PDF root handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. Credit to Google Chrome Security Team (Jüri Aedla).
  • [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. Credit to Google Chrome Security Team (Justin Schuh).
  • [161836] Low CVE-2013-0831: Possible path traversal from extension process. Credit to Google Chrome Security Team (Tom Sepez).
  • [160380] Medium CVE-2013-0832: Use-after-free with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154485] Medium CVE-2013-0833: Out-of-bounds read with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. Credit to Google Chrome Security Team (Cris Neckar).
  • [152921] Low CVE-2013-0835: Browser crash with geolocation. Credit to Arthur Gerkis.
  • [150545] High CVE-2013-0836: Crash in v8 garbage collection. Credit to Google Chrome Security Team (Cris Neckar).
  • [145363] Medium CVE-2013-0837: Crash in extension tab handling. Credit to Tom Nielsen.
  • [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. Credit to Google Chrome Security Team (Chris Palmer).

Google thus spent a total of $6,000 in bug bounties this release. These issues alone should be enough to get you to upgrade to Chrome 24.

Image credit: mihow

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with