Google quashes 13 Chrome bugs, adds PDF viewer

Computerworld - Google on Thursday patched 13 vulnerabilities in Chrome as it shifted the most stable edition of the browser to version 8.

Chrome 8 also debuted Google's built-in PDF viewer, an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store.

The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser's history, its video indexing and the display of SVG (scalable vector graphics) animations.

Four of the baker's dozen are tagged as "high" level bugs, Google's second-most-serious rating, while five are pegged "medium" and four are labeled as "low."

Google paid $4,000 in bounties to five researchers for reporting vulnerabilities. Since mid-August, Google has handed out over $29,000 in bug bounty payments.

Among the researchers credited with submitting flaws was Nirankush Panchbhai, who works in Microsoft's vulnerability research group. Panchbhai was not one of the researchers paid a bounty.

Per its practice, Google locked its bug tracking database to bar outsiders from reading the technical details of the vulnerabilities. The company usually unlocks access to a flaw at a later date -- sometimes within weeks, often only after months have passed -- to give users time to update before the hacker-useful information goes public.

The update to the "stable" build -- Google maintains three separate "channels" for Chrome, ranging from stable to "beta" to "dev" -- also included an integrated PDF viewer, which Google first introduced to the dev channel last summer. The viewer renders PDF documents as HTML-based pages, and doesn't require Adobe Reader's free browser plug-in, or any of the alternatives.

The PDF viewer operates within Chrome's "sandbox," a security feature that isolates processes to make it more difficult for malware to affect the browser or infect the computer.

Google also added support for the Chrome Web Store to the browser with version 8. Multiple references to the store, which Google announced last May but has yet to take public, appeared in the Chrome 8 release notes.

That support may mean Google is close to opening the Web Store to customers, who will be able to browser, purchase and download Web applications, including extensions, to run in Chrome and other standards-compliant browsers.

Developers have had access to early versions of the Web Store for several months, but Google has only promised to publicly launch it before the end of the year.

Thursday's update to version 8 came a little more than six weeks after Google released Chrome 7 to the stable channel. Previously, the company said it would refresh the browser every 6-8 weeks.

If the past is any indication, most users will be running Chrome 8 within a couple of weeks.

Last month, Web analytics company Net Applications reported that Chrome's "silent" update mechanism -- unlike other browsers, Chrome automatically updates without any user interaction -- had "almost completely replaced" version 6 with Chrome 7 less than two weeks after the latter's Oct. 19 debut.

Earlier this week, Net Applications reported that Chrome's global share of the browser usage market stood at a record 9.3%.

On Wednesday, Google updated the Windows dev build of Chrome to include a sandbox that shields users from exploits of Adobe Flash Player vulnerabilities.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.