Google Pushes New Chrome Release, Pays $14k Bounty

Trailrunner7 writes "Google has released version 8.0.552.237 of its Chrome browser, which includes fixes for 16 security vulnerabilities. The company also paid out more than $14,000 in bug bounties for the flaws fixed in this release, including the first maximum reward of $3133.7. The new version of Google Chrome has fixes for 13 high-priority bugs, but the most serious vulnerability the company repaired in the browser is a critical flaw resulting from a stale pointer in the speech handling component of Chrome. That flaw, along with four others, was discovered by researcher Sergey Glazunov, who earned a total of more than $7,000 in rewards for the bugs he reported to Google."

New business model:

[Fluffeh]

1) Convince Microsoft to adopt similar bug strategy.
2) Start using software as it was designed to be used...
3) PROFIT!!

Yes, that's right. No step 4.

*sips coffee*

Re:

[c0lo]

1) Convince Microsoft to adopt similar bug strategy.
2) Start using software as it was designed to be used...
3) PROFIT!!
Yes, that's right. No step 4.

Step 2 is somehow flawed. Google paid the bounty for the security bugs and for Chrome only.

MS:
1. has a bigger "impact cross-section" thus won;t afford to pay too much for a bug leading to a 0-day exploit;
2. there is a stiff competition in the matter of monetary rewards for finding 0-days exploits (hint: some entities in a country used to be known as Soviet...). If somebody jumps into the game as a beginner and stay in the game long enough to be proficient in finding bugs, my bet... because of point 1 abov

Re:

[LingNoi]

1. You can define the terms for payment and they have more money then google to blow.
2. The competition fixes windows bugs? eh... Also, someone does work for you for money, gets better at their skill and may move jobs?! We can't let this happen! They must remain Microsoft's worker slaves forever!

Re:

[pinkushun]

side note - Originally there is no no need for phase 4 [southparkstudios.com]

*sips espresso*

Re:

[Ginger Unicorn]

You're conjuring up images of the boss guy in Office Space shagging the protagonist's girlfriend whilst sipping his coffee.

Re:

[bennomatic]

How come my version of Chrome is 9.0.597.47? Am I in the future, or did this article sit in the stack for several weeks?

Re:

[uglyduckling]

You don't HAVE to buy from Dell, you know.

Re:

[elh_inny]

If they can pay this much for reporting bugs, why can't they pay $8k or so for h264 codec licensing???
This was a lame move on their side...

Re:

[Yvanhoe]

Yes. Lame economical move. Wonderful ideological one. Google is not banking on money but on reputation. They believe that the protocols used on internet should be opened and not patent-encumbered. They think that this is a danger that would cost them more than $8,000. They see further than most. Kudos to them.

Re:

[LingNoi]

As has been said many times in the other article. Firefox and Opera don't support H.264 now, so chrome not supporting it is just coming in line with the other browsers. You should be complaining that Microsoft refuses to put in WebM support rather then Chrome doing what everyone else is doing. Yeah, it sucks if you're used to h.264 encoding but technology moves forward and by popularity vote the industry is moving to WebM for the video tag in HTML 5.

Re:

[MichaelJ]

Popularity vote of what? I see h.264 implemented in software and even hardware all over the place, ranging from my TiVo to even my point-and-shoot camera. I'm fairly certain I've never even heard of WebM before today.

Re:

[LingNoi]

Your Tivo and Camera don't support the html 5 video tag.

Re:

[dave420]

What the fuck are you smoking? New codecs do come along all the time, but industry standard ones do not. H.264 has been years in the making. It is used end-to-end in most TV broadcasts, across the internet, on phones, and pretty much anything that has digital video uses h.264, and does it in hardware. Small commercial projects serving video to under 100,000 subscribers don't have to pay a penny. I take it you have no fucking idea about the licensing costs of h.264. It's dirt cheap. The little guy doe

I just want Google on my check

[Deathnerd]

I don't care how much it's for, because if I ever get a check from Google, it's getting framed. Just sayin.

Re:

[TafBang]

I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates

Re:

[mysidia]

I like your style. Perhaps as a Facebook display picture in hopes of getting some "likes" from potential femina mates

I am afraid Google would run into the same problems Knuth and others did. When people post images of checks online, various scammers, the scum of the internet, find images of the checks online, make fake checks, or initiate fraudulent ACH transactions.... result: the account has to be closed.

Remember folks... checks are legal instruments and contain confidential bank account num

Re:

[h4rr4r]

or just redact the numbers from the image.

Re:

[c0lo]

Other people (esp. if they are government employees) will manage to screw up the redaction in some manner that makes the information recoverable

Not a monopoly of the govt bureacrats, though, even if I admit they excel at it
Recent history show similar cases with non-govt entities... stop here, I won't name them, don't want flames.

Re:

[c0lo]

Remember folks... checks are legal instruments and contain confidential bank account numbers printed on them, which (due to our insecure banking system) can easily be abused by scammers to steal lots of money. Never post an image for public consumption of a check someone else wrote to you.

Or, at least, not if you care maintaining a good relation with that someone.
I know, I know, not very moral of me.

Re:

[martin-boundary]

*Sigh*, some people would rather have a check from Don Knuth...

Re:

[c0lo]

At this point, I'm pretty happy to have seen a Knuth check in reality. Owning one is a long term career goal.

While a noble goal, you do remember that ... human are mortals, Knuth is still human... you know how it goes, don't you? Hurry up man, you don't have that much time.

You gotta be kidding me.

[Brannon]

It's just a company, dude.

Re:

[Joe Tie.]

I used to get android sales pretty consistently, and that was one of the best parts. There's just something kind of cool in checking your balance and seeing daily deposits from google.

Re:

[phantomfive]

Uh.....if you want it that bad, you can just get a job there, you know? I hear they even hire janitors.

Google won this round...

[NFN_NLN]

14K sounds like a pretty good deal for Google. That's less than 2 months of salary for even an intermediate tester.

Re:

[Your.Master]

Less than 2 months intermediate? I'd be surprised if beginning testers cost Google less than $84k/year when you include bonus, stock, benefits, office space, etc..

Then again, I'd also expect an intermediate tester to get more done than just 13 random bugs being found (1 every 3 work days). But maybe the quality of these 13 bugs is higher than you'd expect out of two months with a tester.

Then again...again, I expect even without a bounty some of these bugs would have been reported. I wonder to what extent

Re:

[tyrione]

Less than 2 months intermediate? I'd be surprised if beginning testers cost Google less than $84k/year when you include bonus, stock, benefits, office space, etc..

Then again, I'd also expect an intermediate tester to get more done than just 13 random bugs being found (1 every 3 work days). But maybe the quality of these 13 bugs is higher than you'd expect out of two months with a tester.

Then again...again, I expect even without a bounty some of these bugs would have been reported. I wonder to what extent people's behaviour is actually changed by this.

If you think an entry tester is getting stock options, at their price, you're nuts. They also aren't getting $84k.

Re:

[omglolbah]

He didnt say they did, he said it could cost -google- that much.

Office space, benefits and the likes cost quite a lot. Salary is not the only thing an employee costs ;)

Re:

[TaoPhoenix]

He said office space. That includes the portion of the mortgage of that cube. At California rates, that adds up quick. Plus their welcome package includes a Google edition of the dvd for Office Space signed by Ron Livingston.

I found a bug

[Octopuscabbage]

"Hello google, i found a bug." "Did you fix it?" "Yeah here is 100 man hours of work and 1,000 lines of code" "k, cool, heres $10"

Re:

[TafBang]

Sergey is Taking our Jobs

Re:

[c0lo]

;) He can't help: the Russian Mafia has a price on his head, he can no longer sell to them, he needs something to live on ;)

I'll be filing a bug report soon

[93 Escort Wagon]

I've heard that h.264 support is broken in an upcoming release.

Re:

[_Sprocket_]

I've heard that h.264 support is broken in an upcoming release.

That's a feature.

Re:

[martas]

That's a whoosh.

Re:

[martas]

Aaah, ok, I get it now. Sorry.

Re:

[_Sprocket_]

Humor is a subjective thing. And that was a definite attempt at humor. I like to think that it was a multi-leveled yet minimalistic example of humor. Which is a tricky thing to pull off as those sorts of things can catch people the wrong way. But I thought it was funny. Granted, I'm not an impartial judge.

Re:

[c0lo]

I've heard that h.264 support is broken in an upcoming release.

My bet on Google's answer: "that's not a bug, that's a feature". Would you believe it?

Re:

[c0lo]

They would be correct, so I'd believe it.

Maybe others would be willing to, but I simply can't argue for the contrary.

Re:

[pinkushun]

If you log a regression bug I will verify it!

Re:

[gQuigs]

Since they haven't removed it yet... it's the worse kind of security risk.. Involving lawyers and patent laws.

Security relation direct

[SuperKendall]

And what makes this bug security related? :)

Because the reality is that with h.264 support out, rather than double up all encoding efforts for WebM sites will simply make Chrome use Flash players with h.264 videos.

Have you SEEN the security advisories around Flash?

Re:

[jisatsusha]

It affects the security of MPEG-LA's patent licensing income, obviously.

Re:

[tyrione]

Woosh!

Re:

[c0lo]

No, not broken. Removed. And Microsoft is pissed about it!

Huh! They should save their mouth-foam for the time YouTube clips will only be available in WebM encoding!

It's a ploy!

[NotQuiteReal]

To find out who is capable of finding the obvious ploys...

One of the best things about Chrome ...

[Wrath0fb0b]

Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%). Why can't other applications just keep themselves up to date automatically in that way? It's obviously not technologically impossible, we've seen it happen. Even Windows Update is vaguely alright in this respect once you disable the restart-nagging. Debian systems do fine after a simple 'apt-get update && apt-get upgrade -y' in the root crontab although the GUI will occasionally pester you.

Firefox has to be the worst offender in this respect, both in terms of actual software upgrades that block the UI and then add-ons that also block the main UI and then spawn a silly splash to inform you of the amazing upgrade rfom 2.1.6 to 2.1.6(b). Unless it requires a change in the terms of the license or more permissions (Android does this nicely), I don't care and I definitely don't need to be interrupted to see it.

Another free tip for the Mozilla team -- when I open an application is not the time to install any updates. In fact, that is the only time you can be nearly guaranteed that I want to use the application right this second. Schedule updates for when I close the app because it's pretty damn likely I don't need to use it for a few minutes.

Apple could learn the same thing about their infernal updates too, plus an extra special place in hell for pimping their other software at the same time. I still get calls from my parents "Do I need Safari?", hmm, no just upgrade iTunes when it asks you to. "What about quicktime?". Gah.

 

Re:One of the best things about Chrome ...

[BZ]

> Schedule updates for when I close the app because it's pretty damn likely I don't need to
> use it for a few minutes.

It's not that simple. When you close the app in the case of a web browser, you're most likely shutting your machine down; you don't want to do the update then.

The only sane way to do it is what Google does: actually replace the binaries in-place as the program runs... We're working on getting there. :)

Re:

[h4rr4r]

Replacing files in place is easy, if you use a sane OS.

Re:

[BZ]

Well, the hard part is to make sure things keep working after you did the replace. In particular, the ideal is that if an update comes out the browser updates itself and the next tab you open gets the updated renderer process (while the existing tabs still have the old renderer process). If you have to update the UI process, then you obviously have to do something slightly different.

Re:

[icebraining]

Can you do that on Windows?

Re:

[BZ]

Yes, if you're careful enough. You can't write over the existing file, but you can create a new file, start using it, then make a copy once the old file is unused.

Re:

[wumpus188]

Sorry, but this is just a lame excuse. OSX allows app to listen for shutdown notifications - just don't do an update if your app is terminating because of system shutdown. I'm sure Windows and KDE/Gnome have similar mechanisms.

Re:

[moonbender]

Sure, but if you take more than a couple of seconds, Windows will assume the program isn't cooperating and offer to kill it. Which could be nasty when it happens during an update.

Re:

[tepples]

I read somewhere that an app can veto a system shutdown

An application can veto an interactive system shutdown, but apps don't seem to be able to veto the automatic restart after a Patch Tuesday update.

Re:

[BZ]

Right, but then you'll never update for many users (who _only_ shut down their browser when shutting down the OS), which negates the whole point.

King Koopa

[tepples]

to be honest it can wait till i feel like my computer can be on while the bowser is closed; as rare as that be
i dont see a problem as long as its not months behind

Bowser? Then maybe Chrome can update itself while you play Wii.

Re:

[dakameleon]

Some might consider that silent automatic update an issue, especially if the silently updated new version breaks somehow. Corporate IT departments particularly are none too keen on things that go about updating themselves.

As for your Firefox issue, go to Tools > Options > Advanced > Update and untick automatically update for Add-ons (and probably search engines). There, job done. Yes it isn't the best user interaction decision to update at startup and block the main UI from loading, but it doesn't

Re:

[Wrath0fb0b]

As for your Firefox issue, go to Tools > Options > Advanced > Update and untick automatically update for Add-ons (and probably search engines). There, job done. Yes it isn't the best user interaction decision to update at startup and block the main UI from loading, but it doesn't mean you have to live with it when it clearly ticks you off so much.

So now I have to manually check for updates? And this is your idea of fixing things?

Re:One of the best things about Chrome ...

[mysidia]

Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

Hm.. that idea wouldn't work on any systems I setup.

Software restriction policy all systems, Policy default: deny.

Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

Re:

[Wrath0fb0b]

Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually, in order to install them.

When Chrome closes it copies over the %ProgramFiles% version if the user have sufficient privileges to do so. That's the best place for it, but given that NTFS does not allow unlinking an exectuable when it is running, having it in %AppData% for the time being is the next best option.

User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder (Especially not in any folder used as a default download directory for saving files or temporary directory used by a mail application for opening attachments in a viewer). Contents of appdata is a data folder, and all of a user's profile are data folders, not program folders.

Wait, so if I instruct chrome to download an application, it shouldn't go in $USER/Downloads because executables aren't suppose to be in data folders? To where should setup.exe be downloaded then? In fact, how the heck is any

Re:

[tepples]

In fact, how the heck is any updater supposed to work in this case?

By being run as administrator.

Re:

[slimjim8094]

User profile directories including appdata are specifically excluded, because this is best common practice. Programs/executables don't belong in any user's profile or appdata folder

I disagree, though not for Windows. On Linux, it's pretty common practice to install software locally to a user. For example I have a newer version of Python installed on my webserver than the stock, and it's just in my home directory.

Though I understand that your needs are likely different, I'm just pointing it out.

Re:

[tepples]

Programs can be executed from the default allowed directories. %programfiles% , %systemroot%\system32, etc, and some designated paths for placing executables in manually

Then what is the procedure for a user to request that a program's installer be placed into one of these "designated paths for placing executables in manually"?

Re:

[tepples]

Assuming the user is authorized to install software

Then I guess I should have phrased the question as follows: What is the procedure for a user to request authorization to install a given piece of software? Can a single procedure scale to homes, small businesses, and large businesses? How does the procedure change for people who create software?

Re:

[morgan_greywolf]

Is that updates take place silently and promptly without any user intervention even on systems with UAC activated (a copy is installed to %appdata%).

No wonder corporate shops don't allow Chrome.

Re:

[frdmfghtr]

I was thinking the same thing for my home machine. I consider silent background updates "bad." Only one person should be authorizing software updates--me, and I want to know about it beforehand.

Re:

[uglyduckling]

Yup, although Chrome seems particularly adept at getting round any corporate restrictions. At the [government institution] where I work, Chrome seems to be on about half the machines, usually installed by users. I'm always grateful to see it as lots of machines seems to still have IE 6 which is getting close to unusable on many web pages.

Re:

[willie150]

Google released Chrome for Business [google.com] in the last few months, add that to the policy settings [google.com] and you're pretty set.

At close is worse

[r00t]

If I'm closing the browser, that probably means my battery is dying. My UPS is doing the extra-fast beeping that happens right before it cuts out.

That would be the absolute worst time to update. The power will cut out right in the middle of the update. Few software projects can reliably avoid self-corruption when that happens.

Re:

[master811]

No the the installation of Chrome in the %user% folder is an an absolute pain. I'm sure the only reason google did this is to make it easy to install, but that doesn't make it the best place. Programs go in program files/system directories, NOT in userdata. I also hate the fact it doesn't just "update", it creates an entirely new directory everytime for that particular version, so you end up with loads of redundant folders.

No other major app does this, why can google get away with it?

Re:

[n0-0p]

If you don't like the single user version then install the system-wide version from the google pack. And it doesn't leave past versions around; it leaves exactly one previous version when it's updating because it uses differential compression against the old version and falls back to the previous version if the update failed.

Re:

[Alrescha]

"One of the best things about Chrome is that updates take place silently and promptly without any user intervention"

You like having a rogue process running as root on your machine? I consider it the worst thing about Chrome. The first thing I dig out and kill after I install Chrome is Google Software Update.

http://www.wired.com/epicenter/2009/02/why-googles-sof/ [wired.com]

A.

Re:

[RebelWebmaster]

In Firefox 4, add-on updates now install silently instead of prompting on startup.

Why the meager sum?

[iamacat]

Certainly having a trouble free product is worth more than 10% of developer salary to google?

Re:interesting

[biryokumaru]

My Chrome goes to 11.

Chrome release schedule

[DragonWriter]

They're doing two releases a quarter

I'm pretty sure the announced release schedule is one release every six weeks (which is 2 in 12 weeks), which is a little faster than 2/quarter (which is 2 in 13 weeks.)

Re:

[biryokumaru]

Um, did you read the summary? They paid that Sergey guy OVER 9000!!1

Re:Wait a minute...

[russotto]

3,133.7?

Looks suspiciously like 'leet to me.

Way to spot 'em, Captain Obvious.

Re:

[pinkushun]

It's even color-coded on the Chrome release blog.

Re:

[mswhippingboy]

Yea, they fixed it alright. They got rid of it.

http://www.pcmag.com/article2/0,2817,2375719,00.asp [pcmag.com]

Re:

[LingNoi]

Firefox and Opera don't support h264 either, why hate just on Google? and if you really cared about choice you'd be ranting on Microsoft for not supporting WebM in IE9. Yay more IE hacks! Guess you're not a web developer..

Re:

[c0lo]

Should I add the annoying behavior of not being able, most of the time, to copy/paste when posting in /. using Chrome?
( granted, maybe it's /.'s fault, but is so much easier to shoot at a bigger target. Besides, is not polite to blame the host, is it? ;) )

Re:

[YoungHack]

I've noticed the copy/paste problem with Chrome as well. Generally speaking I can't copy from gvim and paste in Chrome.

Strangely, I can copy in gvim, paste in a terminal, then copy from the terminal and paste in Chrome. I have no idea why it takes that indirect process.

Workaround: Open comment in a new tab

[tepples]

Pasting into a textarea on a "/comments.pl" page works more often than pasting into a textarea on a "/story/" page. Try opening the comment to which you want to reply (e.g. #34876160) in a new tab and clicking "Reply to This" there.

Pasting into an empty textarea is also more reliable. If you can't use the first workaround because you're trying to add a top-level comment, it might even work to paste from gvim, gedit, etc. if the textarea is empty.

Re:

[LingNoi]

It's because slashdot broke it but they refuse to fix it. Maybe they hate chrome or something...

Nested tree tabs?

[js_sebastian]

For a product claiming to be "8.x", it sure could use a lot of refinement. They haven't accomplished anything special with the tab interface (the biggest reason I can't adopt it for primary use -- I need Panorama and if not that, at least vertical nested tree tabs).

..ouch, my mind hurts!

Re:

[DragonWriter]

For a product claiming to be "8.x", it sure could use a lot of refinement. [...]

However, for *actually* only being about 2.0 [...]

I don't think you understand what version numbers mean.

Re:

[dalmor]

I posted this URL in another thread, but it is a great view of the whole video format "war" going on.

Even with chrome supporting h.264, in order to get maximum compatibility for video playback across all browsers(let's not leave out Android and Iphone), you still need to have the video in all 3 formats(below is copy/pasted from the site). Chrome isn't going "backwards" compared to where it stands now, unless you prefer having site visitors standardize on a set of browsers, in which case I can't argue with t

Wrong, here is workflow that will be used.

[SuperKendall]

For maximum compatibility, here’s what your video workflow will look like:

Companies are not going to go for maximum compatibility that costs too much. They are going to go for the maximum compatibility at minimum cost. So let's revise your workflow to predict what will really happen:

1. Make a version that uses H.264 baseline video and AAC “low complexity” audio in an MP4 container.

Re:

[SuperKendall]

It is a game changer for the video tag (not for h.264). The video tag was gaining traction, but that will go away now... I personally don't care what codec gains prominence, I'm just annoyed that we are devolving back into a world where all desktop video comes through a Flash player.

Re:

[tepples]

Step 2 of your proposed workflow requires affording the H.264 encoder and streaming licenses.* How should a typical ad-supported web site afford these?

* Or mass emigration.

Re:

[tepples]

It was extended to 2015 for free streaming if the site was offering free videos to the end user.

Is it still considered "free" if it's ad-supported? Or in the case of a low-volume local business selling local-interest videos to local customers, is there a prohibitive minimum annual royalty per firm?

Sites would normally have to pay for the encoder themselves, like any other regular commercial software.

And how much does a good one of these cost?

Re:

[LingNoi]

At least h.264 has a much wider range of companies backing and directing it.

Like who? Apple and Microsoft?

What about Firefox and Opera. That's three against two right there that are backing it.

Re:

[LingNoi]

Firefox and Opera are NOT supporting h264 in the video tag.

Mozilla’s Robert O’Callahan wrote a big “Thanks Google!” on his blog and said that he is “surprised” and “delighted” that Google has made that decisions. “Incidentally, it’s also a good day for us at Mozilla: the pressure that was building on us to support H.264 should ease off considerably,” he wrote

http://www.conceivablytech.com/5155/business/mozilla-celebrates-google-webm-delays-fi [conceivablytech.com]

Right, and that means flash players everywhere

[SuperKendall]

H264 may have much wider backing in some fields but that's just not visible in the browser usage share: After Googles decision I guess around 1% of the browsing happens on a browser capable of HTML5 + H.264.

The direct result of that is zero adoption of the HTML5 video tag. There is no game afoot; the game is over, Google took the ball home.

When you can just wrap h.264 video in a Flash player for computers and thus support iOS devices and all browsers with one file, why would you do ANYTHING else?

Re:

[SuperKendall]

Nope, you'll be using a Flash player just like everyone else.

There is no "walled garden" on the desktop, just a browser intelligent enough to support a full complement of standards (I can play WebM through Quicktime with a plugin).

Re:

[ciderbrew]

Depends, Canine Age 3 = Human Age 28 Years. You didn't state species :)

Re:

[LingNoi]

It's not meant to be a salary, it's a reward. Some researchers don't even take the money.

Why not rip on Microsoft for not even offering a bounty rather then look a gift horse in the mouth?

Re:

[DragonWriter]

You know, for a company with a total equity of US $36.004 billion (2009) the sum of $14,000 being spent to improve their product doesn't seem that good of a deal for the people doing the work...

They are spending a lot more than that to improve their product -- they do have paid development staff. These are "thank yous" in cash form awarded after the fact to people who have, on their own, reported problems.

Many companies don't reward people for reporting problems with their product at all.