Google Chrome 33 has undergone a change. The change in status of the browser comes with many updates – especially security fixes. A partial list of changes in the build is available in the SVN revision log that you can find on the official Chrome Release blog.
According to Google, there are 28 security fixes in this version, including an issue with relative paths in Windows sandbox named pipe policy. The change that tops the list, a “No trespassing” sign: Only extensions or add-ons that originate from the Chrome Web Store, Google’s official distribution channel, can be installed now.
This implies, an ordinary Chrome user can no-longer customize Chrome to fit his/her needs. Earlier, you could set new-tab page as your apps list. That functionality no more exists. In addition, there’s ANOTHER search bar on your page (what’s the point of an omnibox AND a search field?) and capacity to disable the Google API integration has been removed.
- Nevertheless, Chrome explains, Chrome 33.0.1750.117 brings a bunch of new features, including Safe mode hotkey start
- Better speech synthesis
- Blocked local extensions for Windows users
- Improved full-screen mode and others.
Erik Kay, director of Chrome engineering, cited
“We believe this change will help those whose browser has been compromised by unwanted extensions.”
The company has paid out over $13,000 in reward money to folks who reported these vulnerabilities. Here is the list of the bugs discovered by external security researchers fixed in Chrome 33, along with the cash prizes:
- [$2000] High CVE-2013-6652: Issue with relative paths in Windows sandbox named pipe policy. Credit to tyranid.
- [$1000] High CVE-2013-6653: Use-after-free related to web contents. Credit to Khalil Zhani.
- [$3000] High CVE-2013-6654: Bad cast in SVG. Credit to TheShow3511.
- [$3000] High CVE-2013-6655: Use-after-free in layout. Credit to cloudfuzzer.
- [$500] High CVE-2013-6656: Information leak in XSS auditor. Credit to NeexEmil.
- [$1000] Medium CVE-2013-6657: Information leak in XSS auditor. Credit to NeexEmil.
- [$2000] Medium CVE-2013-6658: Use-after-free in layout. Credit to cloudfuzzer.
- [$1000] Medium CVE-2013-6659: Issue with certificates validation in TLS handshake. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco, Inria Paris.
-  Low CVE-2013-6660: Information leak in drag and drop. Credit to bishopjeffreys.
In addition to these vulnerabilities outlined under SECURITY FIXES and REWARDS head of Google Chrome Release page, the company claims to have fixed more than a dozen bugs that were discovered by its internal security team. Google Chrome 33 is now available for download for Windows, Mac OS X and other versions.