Chrome 28 Blinks
Google pays researcher record $21,500 for reporting bugs in sync service
Computerworld - Google on Tuesday released Chrome 28, the first polished version of the browser to use the company's home-grown "Blink" rendering engine.
On Windows, the upgrade also sported Google's new notification service that lets developers of Chrome apps and add-ons display messages and alerts outside the browser window.
The upgrade was the first since May 21, when Google shipped Chrome 27 and touted some minor performance improvements.
Google announced in April that it was dropping the open-source WebKit browser engine -- at the time also used only by Apple's Safari -- and was instead launching Blink, a WebKit variant, to power Chrome. Since then, Opera Software's Opera has also adopted WebKit as an interim step before it eventually moves to Blink.
Google cited difficulties in adapting WebKit to Chrome, and in the first weeks after the announcement, stripped copious amounts of unnecessary-for-Chrome code from the fork that became Blink.
Previously, only the rougher "Dev" and "Beta" builds of Chrome relied on the Blink engine. Users can verify that Blink is present by typing chrome://version/ in the Chrome address-search bar, dubbed the "Omnibox."
Also included in Chrome 28 is new support for more sophisticated notifications that appear outside the browser pane and display even when the browser's not running. "Packaged apps" -- über-Web apps that look and behave like "native" code written specifically for the underlying OS -- and add-ons can push brief messages and alerts to Chrome users after their developers have enabled the feature.
Only the Windows version of Chrome 28 currently supports these next-generation notifications, but Google promised that the feature would soon make its way to OS X and Linux. On a Mac, Chrome notifications are not integrated with OS X Mountain Lion's Notification Center.
Along with the debut of Blink and notifications, Chrome 28 contained patches for 15 security vulnerabilities, one of them rated "critical," Google's most serious threat ranking. According to Google's terse security advisory, that flaw was a memory management bug -- dubbed a "use-after-free" vulnerability -- in the browser's network sockets code.
But while Colin Payne, who reported the bug, received an impressive reward of $6,267.40, another researcher was handed triple that.
Andrey Labunets was paid a record $21,500 for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."
That last phrase and the amount paid were clues that Labunets discovered one or more flaws in a core Google service. In April, Google boosted bounties for vulnerability reports in its core websites, services and online apps, resetting the top reward to $20,000 for remote code executable bugs, those that attackers could use to slip malicious code onto a server or into an app or site.
Labunets is no stranger to large bug bounties. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social networking giant.
Altogether, Google this week paid bounties totaling $34,901 to six researchers, including Payne and Labunets, for reporting eight different bugs. Through Tuesday, the Mountain View, Calif., company has awarded nearly $250,000 thus far this year in bounties or hacking contest prizes.
Users can download Chrome 28 from Google's website. Active users can simply let the automatic updater retrieve the new version.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- Firefox risks irrelevance as mobile browsing booms
Read more about Web Apps in Computerworld's Web Apps Topic Center.
- How Network Connections Drive Web Application Performance Users around the globe, on all sorts of devices, expect Web applications to function as seamlessly as desktop applications. This paper discusses the...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Web Apps White Papers | Webcasts