This article was published on August 26, 2014

Chrome 37 launches with DirectWrite support for better-looking fonts on Windows, revamped password manager


Chrome 37 launches with DirectWrite support for better-looking fonts on Windows, revamped password manager

Google today released Chrome version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager; you can update to the latest release now using the browser’s built-in silent updater, or download it directly from google.com/chrome.

Here’s the official Chrome 37.0.2062.94 changelog provided by Google:

  • DirectWrite support on Windows for improved font rendering.
  • A number of new apps/extension APIs.
  • Lots of under the hood changes for stability and performance.

The biggest change in this release is only for Windows users: support for Microsoft’s DirectWrite, a text layout rendering API that first arrived in Windows Vista, has finally been implemented. The question of improving how text appears in the browser on Windows was first brought up in the Chromium bug tracker back in October 2009 but Google only confirmed in June 2014 that it would be enabled by default in Chrome Canary 37.

Until now, Chrome used the Graphics Device Interface (GDI), which dates back to the mid-80s and the lower-resolution monitors of the time, to render text. Google says the switch “required extensive re-architecting and streamlining of Chrome’s font rendering engine.”

With today’s release, users can expect better-looking fonts and increased rendering performance without changes required by Web developers. Unless you’re a designer or font aficionado, the difference is subtle until you actually update and start using the browser:

directwrite-comparison

It’s worth noting that Chrome 37 beta included mention of a “new password manager UI.” While the password manager itself has not changed, there is a new prompt that comes up after you enter a new password.

In fact, it even now comes up for network credentials, which previously required some trickery for the browser to save:

chrome_password_manager

Also not mentioned in the changelog is that Chrome 37 disables support for showModalDialog by default. First introduced in Internet Explorer 4, the API allows applications to show a dialog of HTML content that freezes all other content.

Google says less than 0.006 percent of webpages use it, and gives the following reasons for its axing:

Unfortunately, showModalDialog’s unique ability to freeze content is now widely regarded as a mis-feature in terms of user experience, code complexity, and security. From a usability perspective, showModalDialog rudely demands that you interact with it by freezing all of your other tabs—even ones from other sites. showModalDialog also requires complex and hard-to-maintain code scattered throughout the codebase. This complexity complicates the behavior of new web features like Mutation Observers, Object.observe, and Promises. It also makes showModalDialog a source of a disproportionate number of bugs, including serious security vulnerabilities.

Since many enterprise sites rely heavily on showModalDialog, Google has added a temporary Enterprise Policy setting to re-enable it. In May 2015, this setting will be removed and showModalDialog will be completely killed off.

Last but certainly not least, Chrome 37 also addresses 50 security issues, some of which Google chose to highlight:

  • [$30000][386988] Critical CVE-2014-3176, CVE-2014-3177: A special reward to lokihardt@asrt for a combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox.
  • [$2000][369860] High CVE-2014-3168: Use-after-free in SVG. Credit to cloudfuzzer.
  • [$2000][387389] High CVE-2014-3169: Use-after-free in DOM. Credit to Andrzej Dyjak.
  • [$1000][390624] High CVE-2014-3170: Extension permission dialog spoofing. Credit to Rob Wu.
  • [$4000][390928] High CVE-2014-3171: Use-after-free in bindings. Credit to cloudfuzzer.
  • [$1500][367567] Medium CVE-2014-3172: Issue related to extension debugging. Credit to Eli Grey.
  • [$2000][376951] Medium CVE-2014-3173: Uninitialized memory read in WebGL. Credit to jmuizelaar.
  • [$500][389219] Medium CVE-2014-3174: Uninitialized memory read in Web Audio. Credit to Atte Kettunen from OUSPG.

Google thus spent a whopping $43,000 in bug bounties for this release. As we always say, security fixes alone should push Chrome users to upgrade as soon as possible.

Update: Also today, Google promoted the 64-bit Windows version to the stable channel.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with