Google Chrome 21 is out

Google Chrome 21 is out

Summary: Google Chrome version 21.0.1180.60 (21.0.1180.57 for Mac and Linux) is out, fixing 15 security vulnerabilities in the search giant's browser. Strictly from a security perspective, you should upgrade as soon as possible.

SHARE:
Google Chrome 21 is out

Google today released Chrome 21. On the security side, the new version fixes 15 vulnerabilities: one critical flaw, six high-severity flaws, five medium-severity flaws, and three low-severity flaws. You can update to the latest version using the software's built-in silent updater, or you can download the latest version of Chrome directly from google.com/chrome.

For full details of everything that has been changed, check out the SVN log. As for the 15 security vulnerabilities fixed in Google Chrome 21.0.1180.60 (21.0.1180.57 for Mac and Linux), here they are:

  • [Linux only] [125225] Medium CVE-2012-2846: Cross-process interference in renderers. Credit to Google Chrome Security Team (Julien Tinnes).
  • [127522] Low CVE-2012-2847: Missing re-prompt to user upon excessive downloads. Credit to Matt Austin of Aspect Security.
  • [127525] Medium CVE-2012-2848: Overly broad file access granted after drag+drop. Credit to Matt Austin of Aspect Security.
  • [128163] Low CVE-2012-2849: Off-by-one read in GIF decoder. Credit to Atte Kettunen of OUSPG.
  • [130251] [130592] [130611] [131068] [131237] [131252] [131621] [131690] [132860] Medium CVE-2012-2850: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [132585] [132694] [132861] High CVE-2012-2851: Integer overflows in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [134028] High CVE-2012-2852: Use-after-free with bad object linkage in PDF. Credit to Alexey Samsonov of Google.
  • [134101] Medium CVE-2012-2853: webRequest can interfere with the Chrome Web Store. Credit to Trev of Adblock.
  • [134519] Low CVE-2012-2854: Leak of pointer values to WebUI renderers. Credit to Nasko Oskov of the Chromium development community.
  • [134888] High CVE-2012-2855: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [134954] [135264] High CVE-2012-2856: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [$1000] [136235] High CVE-2012-2857: Use-after-free in CSS DOM. Credit to Arthur Gerkis.
  • [$1000] [136894] High CVE-2012-2858: Buffer overflow in WebP decoder. Credit to Jüri Aedla.
  • [Linux only] [137541] Critical CVE-2012-2859: Crash in tab handling. Credit to Jeff Roberts of Google Security Team.
  • [137671] Medium CVE-2012-2860: Out-of-bounds access when clicking in date picker. Credit to Chamal de Silva.

For Chrome 21, Google paid security researchers a grand total $2,000 in rewards as part of its bug bounty program. This payout is smaller than usual since Google found most of the vulnerabilities this time, using its own AddressSanitizer tool.

Still, Mountain View recently quintupled its maximum bug bounty to $20,000. The company has so far received about 800 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by 50 or so firms it has acquired. In just over a year, the program has paid out around $460,000 to roughly 200 individuals.

For the record, Google Chrome 20 was released just five weeks ago (and then updated again three weeks ago). At the time, I expected Chrome 21 to be released "sometime in August." It turns out I was off by a day.

See also:

Topics: Security, Browser, Google, Software

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Google Chrome 21951 is out

    Nice, a new major version every five weeks. That can go on for how long exactly before A) users get sick of the perception of so many rapid major versions (and they will), or B) the version number will be so high that it just looks stupid?
    Raid60
    • You could probably say the same thing for Asterisk PBX.

      Previously, Digium used to have version numbers like 1.0, 1.2, 1.4, 1.6, and 1.8. There isn't a new released version with a completely rewritten architecture; that is, there are no 2.0. 2.4, 2.6, etc. but instead will continue with 1.10. But instead of Asterisk 1.10, Digium took out the ".1" part and changed it to "Asterisk 10." The next version sometime in the future will be "Asterisk 11."

      So, for Google Chrome, I wouldn't think you would have complained if Google would have version numbers like 1.0, 1.1, 1.2, ... 1.9, 1.10, 1.11, ... 1.19, 1.20, and 1.21, right? There isn't any architecture changes been made to Google Chrome, are there?
      Grayson Peddie
    • Google

      Google invented the meaningless versions system (MVS).

      Firefox also adopted it.

      I'm still waiting the day FF will surpass Chrome version.
      C'mon Firefox!!
      Rikkrdo
      • Chrome 21 features are huge

        Look at the new features of Chrome 21, It is huge compared to Chrome 20. I Likes very much the Webcam API support. I play the xylophone that uses real-time motion tracking through my webcam. I believe Chrome 21 is the first browser which has implemented the Web RTC standard. Not to mention Retina displays support.
        oldman60
    • Doesn't matter

      The version numbers don't matter to anyone except devs since Chrome automatically updates. But you know that.
      daengbo
    • How would you get tired of it?

      Most people don't even realize that it gets updated because it's done entirely in the background. The only time people notice is when some ui aspect changes slightly. Very few will even know that Chrome has gone from 20 to 21.
      dsa791
  • IE

    Yes, more bugs than IE + FF united.
    Rikkrdo
    • depends how you look at it

      They FOUND more bugs then IE + FF united. Doesn't mean they actually HAVE more bugs ;-)
      belli_bettens@...
  • Google Chrome 21 is out

    Kudos Chrome Team
    RickLively
  • one major problem for chrome extension developers

    a major problem, not mentioned in this article: For chrome extension developers, this version of chrome doesnt allow users to install extensions directly from the developers own website, it only allows installation of extensions directly from the official chrome webstore

    quite annoying when you are trying to drive customers to your website to get ad revenue from ads on your site, after you have spent ages developing an extension, you should have the right to make some money from it.
    zdnetsupervisor
  • RE: Hope it fixes rendering issues also

    Been getting more pages especially yes Flash video that are slow or don't render then a couple of months ago.
    edkollin
  • Getting tired of Chrome updates yet?

    Jeez. New update, another 14 vulnerabilities. Add up the last 4-5 IE updates to one Chrome update [in the number of vulnerabilities and those 4-5 updates go back to late last year.
    Every Chrome updates has anywhere from a dozen to 20 security issues fixed.
    As far as I'm concerned it's still a beta product.
    I'm sticking with Firefox and IE.
    Gisabun
  • Serious Problems with Page Loading with Chrome at version 21.0.1180.75 & 77

    I don't know what the last workable version was until pages began loading partially -- so much for the silent continuous update methodology! Many users have complained and Chrome support has closed and restarted new threads probably to keep the summary numbers from getting too high. I am running under win7-64.

    When pages can't load that's time to recall the product and allow users to drop back to a working version (version 20) and apologize to the community, especially those end-users that are essentially testing the product! The Chrome team has some serious QA problems and should reconsider the wisdom of Microsoft's controlled releases. Many users (including me) have switched back to IE9 and Firefox.

    I will be wary of using Chrome until I've heard good reports over an extended time period.
    Automate