Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34

Updates browser after paying nearly $30,000 in bug bounties

Google earlier this week updated Chrome to version 34, patching 31 vulnerabilities and paying out nearly $30,000 in bug bounties to outside researchers.

Chrome 34 shipped Tuesday as an automatic update for Windows, OS X and Linux users. On the same day, Google also refreshed Chrome OS, its browser-based operating system that powers various vendors' inexpensive notebooks.

Google paid $29,500 in bounties for 12 bugs reported by outsiders and an additional 19 found by in-house researchers and other contributors to Chromium, the open-source project that feeds code into Chrome.

Five of the 12 bounty-eligible vulnerabilities were tagged as "use-after-free" flaws, a type of memory management bug that Chrome researchers have been adept at finding, in large part because of the Google-designed "Address Sanitizer" fuzzing tool, which is available to outside bug hunters.

Ten flaws in V8, Chrome's JavaScript engine, were also patched in Chrome 34.

Google posted its usual terse descriptions of the vulnerabilities addressed in the update on April 8.

Elsewhere in Chrome 34, Google updated Flash Player to the most current version. Also on Tuesday, Adobe patched four flaws in the media player, including one that was revealed by French vulnerability broker Vupen at the Pwn2Own hacking contest the month before. Vupen was awarded $75,000 for its successful exploit of Flash Player.

Adobe has not yet patched a second vulnerability used at Pwn2Own by a different team.

Besides the bug fixes, Google added support for importing supervised users into Chrome on new computers, a feature that debuted in February with the beta version of the browser. "Supervised users" are typically family members, usually children, who are given access to Chrome on a shared personal computer; one in the family acts as an administrator of sorts, who manages a list of permitted and/or blocked websites, and takes requests for access to other URLs.

Those supervised-user settings can now be imported to any Chrome-equipped device in the home that's running Windows, OS X or Linux, eliminating the need to recreate those settings when the family adds another personal computer to the household. After import, those settings are kept synchronized across all devices.

Chrome 34 also debuted a tweaked version for Windows 8.1's "Modern," née "Metro" mode, responding to critics who had blasted Google for adopting a non-standard scrollbar they said made it harder for them to navigate pages.

Those grievances had focused on two: Chrome's scrollbars were significantly thinner, and Google dumped the scroll arrows, also called "steppers," within the scrollbar.

Google quickly recanted the stripping of steppers, and just days after the new Metro-mode user interface (UI) appeared, said it would restore them in Chrome 34.

The company made good on that promise this week. "[We] heard feedback that certain functionality was dearly missed," said SarahMM, who was identified as a Google employee, in a message posted Wednesday to a Chrome support forum. "We've made changes; in Chrome 34 you will see a return of the arrow buttons to scrollbars, the ability to once again auto-hide the app shelf in Windows 8 mode, and more consistency in UI design of text boxes."

People who haven't tried Google's desktop browser can download Chrome 34 for Windows, OS X and Linux from Google's website. Current users can let the automatic updater download and install the new version.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon