Google ships Chrome 17, touts more malware alerts and page pre-loads

Patches 20 vulnerabilities, pays $10,500 in bounties to four bug hunters

Google today patched 20 vulnerabilities in the desktop edition of Chrome and added new anti-malware download warnings to version 17.

The company called out a pair of new features in Chrome 17, including the expansion of anti-malware download warnings and pre-rendering of pages suggested by the address/search bar's auto-complete function.

Google last refreshed Chrome eight weeks ago, on Dec. 13. Google generates an update to its "stable" channel about every six to eight weeks, a slightly more flexible schedule than rival Mozilla's every-six-week pace.

One of the 20 vulnerabilities patched today was rated "critical," the most-dire ranking in Google's threat system. Eight were marked "high," while five were labeled "medium" and six were tagged "low."

Google paid $10,500 in bounties to four researchers for reporting 11 bugs, and another $3,133 to one of the four who uncovered a serious flaw that was quashed by developers before Chrome 17 made it to today's release. The nine other vulnerabilities were uncovered by members of Google's own security team, developers who contribute to the open-source Chromium project -- which feeds code to Chrome -- or those, who for one reason or other, were not bonus eligible.

Per its usual practice, Google blocked access to its bug tracking database for all 20 vulnerabilities to prevent outsiders from obtaining details that could be used to build exploits. Google typically opens up the database weeks or even months later, after it's sure a majority of users have migrated to the new edition.

Google typically includes a handful of obvious changes in each Chrome upgrade, and it stayed with that practice today: The two features visible to users were an extension of Chrome's long-running anti-malware download warnings and faster displaying of some Web pages.

The new download warnings alert users when they try to retrieve executable Windows files -- including those with the ".exe" and ".msi" extensions -- that Google knows or suspects are malicious, or are hosted on a website that commonly distributes threats.

Such warnings have been part of Chrome since version 12, which launched in June 2011, but they've been expanded in Chrome 17.

If the file isn't a known quantity or from a reputable publisher, information about the file is sent to Google, which runs it through an analyzer to rank its "reputation and trustworthiness [compared to] files previously seen from the same publisher and website," said the company last month.

Suspicious files -- ones that match the criteria of others known to come from the same source -- are tagged and if there's a high probability it's malicious, the user sees an alert.

Google has also beefed up its anti-phishing tool; Chrome now inspects the destination URL for characteristics common to sites that try to steal confidential information, and if it makes a match, spits out a warning.

The new anti-malware tools have been available in the beta of Chrome 17 for a month.

Also new to Chrome 17: Pre-loading of pages that appear in the browser 's combination address/search bar when users start typing an address or search string.

"If the URL auto-completes to a site you're very likely to visit, Chrome will begin to pre-render the page [to reduce] the time between when you hit Enter and when you see your fully-loaded Web page," Google explained last month when it added the feature to Chrome 17's beta.

In admittedly unscientific tests of Chrome 17's pre-loading, however, Computerworld did not notice any difference in the speed with which pages popped up.

According to metrics company Net Applications, Chrome accounted for nearly 19% of all browsers used in January, keeping it in second place behind Firefox (with 20.9%) and Microsoft 's Internet Explorer (53%).

Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users running the browser will be updated automatically through its silent service.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about browsers in Computerworld's Browsers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogleLinuxMicrosoftMozillaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts