The ScriptNo extension adds an icon to the Chrome address bar. The icon acts as a notifier that informs the user about the number of scripts that have been blocked on the current page. The icon color indicates blocked scripts (red), temporarily allowed scripts (blue), whitelisted parent pages but blocked scripts (white) or if the extension is disabled on that particular page (grey).

A left-click on the icon displays all blocked resources, the domain name and links to options and a quick start guide.

All script elements are blocked by default. Users now have options to change the preferred action for a particular script or domain.

• Allow: Whitelists the specific domain which does not necessarily have to be the root domain. E.g. whitelist www.ghacks.net but not de.ghacks.net.
• Trust: Whitelist the entire domain and all of its subdomains
• Distrust: Adds the current domain to the blacklist.
• Temp: Depending on the default mode the domain will either be allowed for the current session (if default mode is set to block) or allowed (if default mode is set to allow).

When you change a script’s state, e.g. from blocked to allow, the page will be reloaded to take that into account. If you click on the icon again you will then see that the script is listed under Allowed Resources and no longer under blocked resources. A clear button is added to those scripts to undo the preference change.

The options of the ScriptNo extension offer customizations. Here you can set the default mode of operation (block or allow) and allow or block specific HTML elements. The latter could be interesting for users who always want to see noscript contents on the page or audio and video contents. There is even an option to block images from being loaded automatically.

The options list four additional settings to configure the extension. Privacy Settings allow the user to configure the following features:

• Block Unwanted Content: (Default: enabled; remove unwanted content from known ad / malware domains; domains gathered from MVPS HOSTS, hpHOSTS (ad / tracking servers), Peter Lowe’s HOSTS Project, MalwareDomainList.com, and DNS-BH – Malware Domain Blocklist)
• Unwanted Content Mode: (Default: Relaxed; Relaxed = whitelisted domains will not be blocked; Strict = domains in the unwanted domain list will be blocked even if whitelisted)
• Antisocial Mode: (Default: disabled; always remove social widgets/buttons, even if whitelisted)
• Remove Webbugs: (Default: enabled; remove “invisible” third-party elements)
• Block Click-Through Referrer: (Default: enabled; blocks referrer information when clicking on external links)

Behavior Settings include the following options:

• Page Link Opening Behaviour: (Default: -Unchanged-; modifies how all links are opened)
• Respect Same-Domain: (Default: disabled; preserve same-domain elements)
• Auto-Refresh Page: (Default: enabled; auto-refresh page after list change)
• Show Rating Button: (Default: enabled; if ticked, adds rating button under domains in tab popup)
• Classic Options Mode: (Default: disabled; if ticked, closes tab options everytime an option is clicked)
• Sort by Domain: (Default: enabled; sorts URL lists by domains)

The remaining settings include a whitelist and blacklist where all previously added domains are listed (with options to remove), and import and export settings.

New users should take a look at the quick start guide. The guide needs a bit of revamping considering that it uses terms that are no longer found in the extension. But that’s not a big issue.

The extension is hosted both on the Chrome Web Store and on Google Code where the source code can be downloaded and analyzed. Google Chrome users who want NoScript like protection for their web browser should definitely take a look at ScriptNo, it is awesome.

Bugs or bad programming practices may leak information like passwords or history to web and Wi-Fi attackers. The developers provide two examples of how extensions can be exploited by attackers. The two extensions mentioned, Open Attribute and Silver Bird, have since been fixed by their development teams.

The Open Attribute extension helps users read the Creative Commons (CC) licenses of web sites. In the typical use case, a user clicks on the extension’s browser action to see a web site’s attribution information. Open Attribute embeds the site’s CC license in the extension’s popup window, using innerHTML. A malicious web site could serve a fake CC license that includes inline scripts, or a WiFi attacker could insert inline scripts into a license provided by a legitimate web site like Wikipedia. The inserted code then runs in the extension’s popup window with the extension’s privileges. This bug was fixed in Open Attribute 0.7 by setting a Content Security Policy for the extension.

Example 2: Silver Bird 1.9.7.9
Silver Bird allows users to post and read Twitter messages without navigating to twitter.com, and it currently has over 200,000 users. The extension makes an XHR to Twitter using either HTTP or HTTPS, based on the user’s settings. It displays the retrieved messages in the core extension, using innerHTML in several places. If a user were to specify an HTTP URI, a WiFi attacker could insert inline scripts into the XHR response. Luckily, Twitter prevents its users from launching this attack by sanitizing user messages. This bug was fixed in version 1.9.8.4 by replacing innerHTML with innerText.

The two other extensions that have been named in the article are Last Pass and XMarks, which were both protected against those kinds of attacks.

Interestingly enough vulnerabilities were split more or less evenly between popular and random samples, as Adrienne Porter Felt points out.

Probably the most interesting aspect here is that the vulnerability count would drop from 51 vulnerabilities to 2 (a reduction of 96%) if the extension developers would have followed Google Chrome’s Content Security Policies. Implementing those security guidelines will block attempts by an attacker to “take over an extension by injecting malicious JavaScript into the core extension”.

The researchers have decided to not publish the full list of vulnerable and protected extensions at this time to give extension developers ample time to protect their extensions from these kind of attacks.

The developers are not aware of attacks exploiting those vulnerabilities at this point and note that nearly all important extensions with vulnerabilities have updated their extensions already.

The full security paper will be released at the beginning of November. (via)

VUPEN Research yesterday announced that one of their security teams has been successful in exploiting the Google Chrome web browser. The team managed to escape the web browser’s sandbox.

A video was published that demonstrates the exploit under Chrome 11.0.695.65, the latest stable version of the Internet browser. The operating system in the video is the 64-bit edition of Windows 7.

The developers are opening a specifically prepared local website which, after a while, triggers the start of the Windows Calculator to demonstrate that the sandbox has been penetrated. The calculator ran with the same privileges as the web browser.

Malicious hackers would obviously use the exploit for a serious attack instead of launching the calculator.

How does it work?

The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.

The vulnerability has not been confirmed yet by Google and it is unclear if the two companies are in contact with each other. VUPEN have not posted the exploit code or a proof of concept demonstration on their website.

It is likely that we will see a quick patch to address the issue in Chrome. VUPEN are very vague on their website, and it is not clear if all Chrome versions are affected or only the stable version. It is however likely that the exploit works on all versions of Chrome.

The issue can only be utilized by attackers if a Chrome users visits a specifically prepared page on the Internet. While it is unlikely that a single page exploiting the issue is already online, it might be a good idea to stay away from questionable sites for a while.

More important than the version bump to 11 are the security updates that have been implemented in the browser. A total of 25 different security issues have been resolved in Google Chrome 11. Of those, 16 have received a severity rating of high, the second highest. A further six have received a rating of medium and the remaining three one of low. No security issue has been rated as critical, the highest available rating for security vulnerabilities.

Several of the security vulnerabilities are affecting only the Macintosh or Linux versions of Chrome.

• [61502] High CVE-2011-1303: Stale pointer in floating object handling.
• [70538] Low CVE-2011-1304: Pop-up block bypass via plug-ins.
• [Linux / Mac only] [70589] Medium CVE-2011-1305: Linked-list race in database handling.
• [71586] Medium CVE-2011-1434: Lack of thread safety in MIME handling.
• [72523] Medium CVE-2011-1435: Bad extension with ‘tabs’ permission can capture local files.
• [Linux only] [72910] Low CVE-2011-1436: Possible browser crash due to bad interaction with X.
• [73526] High CVE-2011-1437: Integer overflows in float rendering.
• [74653] High CVE-2011-1438: Same origin policy violation with blobs.
• [Linux only] [74763] High CVE-2011-1439: Prevent interference between renderer processes.
• [75186] High CVE-2011-1440: Use-after-free with tag and CSS.
• [75347] High CVE-2011-1441: Bad cast with floating select lists.
• [75801] High CVE-2011-1442: Corrupt node trees with mutation events.
• [76001] High CVE-2011-1443: Stale pointers in layering code.
• [Linux only] [76542] High CVE-2011-1444: Race condition in sandbox launcher.
• [76646] Medium CVE-2011-1445: Out-of-bounds read in SVG.
• [76666] [77507] [78031] High CVE-2011-1446: Possible URL bar spoofs with navigation errors and interrupted loads.
• [76966] High CVE-2011-1447: Stale pointer in drop-down list handling.
• [77130] High CVE-2011-1448: Stale pointer in height calculations.
• [77346] High CVE-2011-1449: Use-after-free in WebSockets.
• [77349] Low CVE-2011-1450: Dangling pointers in file dialogs.
• [77463] High CVE-2011-1451: Dangling pointers in DOM id map.
• [77786] Medium CVE-2011-1452: URL bar spoof with redirect and manual reload.
• [79199] High CVE-2011-1454: Use-after-free in DOM id handling.
• [79361] Medium CVE-2011-1455: Out-of-bounds read with multipart-encoded PDF.
• [79364] High CVE-2011-1456: Stale pointers with PDF forms.

Google has paid security researchers a total of $16,500 for the discovery of security issues in the web browser.

Google Chrome 11 includes a new speech input through HTMl feature which can be used by websites to use a web user’s speed input. Google Translate is one of the first services to include a listen option. Speech input requires a microphone connected to the computer.

The Google Chrome update is available directly from within the browser. You can check for the update with a click on the wrench icon in the address bar and the selection of About Google Chrome in the menu.

You find further instructions at our How To Upgrade, Downgrade Google Chrome guide.

Three additional security vulnerabilities are fixed in the latest Google Chrome Stable version. One of the fixed issues is only affecting Chrome on Windows, while the remaining are affected all versions of the Chrome browser.

• [Windows only] [70070] Critical CVE-2011-1300: Off-by-three in GPU process.
• [75629] Critical CVE-2011-1301: Use-after-free in the GPU process.
• [78524] Critical CVE-2011-1302: Heap overflow in the GPU process.

All three vulnerabilities have received a critical rating, the highest possible rating. The Adobe Flash vulnerability was rated critical by Adobe, which means four critical vulnerabilities have been fixed in total in the latest version of Google Chrome.

Google Chrome users can download the latest version of the web browser from the official Google Chrome download page, or with an in-browser update.

Google Chrome should recognize the update automatically and apply it on the next restart of the browser. They can initiate the update check manually with a click on Tools > About Google Chrome.

This queries the Google Update server to see if a new version of the installed Chrome browser is available. Updates that are found by the check are downloaded automatically, and the only thing left to do is to restart the browser to apply the update that secures the Internet browser from those vulnerabilities.

Adobe confirmed that a general update for the Flash vulnerability will follow tomorrow.

The new version fixes several, or shall we say many, security issues. The release notes list a total of 25 different security related issues that have been fixed in Google Chrome Stable. 15 of the listed security issues have been rated with a severity rating of high. The security fixes come just one day before the annual Pwn2Own competition where security experts from all over the world try to compromise web browsers, software and devices.

The release is not only security related though. Google has packed many new features in the stable version of the web browser that have previously been only available in beta, dev and canary releases of the web browser.

The core additions under the hood are an improved version of the V8 JavaScript engine that improves the script processing in Google Chrome Stable by up to 66% according to Google, security improvements like the automatic disabling of outdated plugins and the Adobe Flash Player Sandbox on Windows. Tim Steele over at the Chrome blog mentions that Flash sandboxing is only available if you are using Windows vista or newer versions of the Windows operating system.

The Chrome developers have improved other areas of the web browser as well. Password Sync has for instance been enabled by default as part of Chrome Sync. Users find the option by clicking on Tools > Options and selecting Personal Stuff > Sync from the options menu. They can alternatively enter sync in the search box on the left to find the synchronization settings this way.

This leads directly to the next change; The chrome settings have been moved to the tabs. It is basically a new settings interface that opens in a tab instead of a window. Google has created and published a video back in February that introduces the change.

A tabbed settings page has the added advantage that users can bookmark pages to access them even faster.

On top of all that, GPU Accelerated Video has been made available in the web browser. Users can configure the setting by typing about:flags in the Chrome address bar, hitting enter and enabling or disabling GPU Accelerated Canvas 2D on the options page.

Most Chrome users make use of the automatic update feature of the web browser. Those who do not can download the latest stable release from Google.

A total of nine security vulnerabilities have been fixed in Google Chrome 9.0.597.84 of which one received a critical vulnerability rating, the highest possible rating. Two vulnerabilities were rated as high and six as low. Two of the vulnerabilities are only affecting Apple Mac systems, the remaining seven all supported operating systems.

Consult the listing below for an overview (via):

• [Mac only]Low Minor sandbox leak via stat().
• High Use-after-free in image loading.
• Low Apply some restrictions to cross-origin drag + drop.
• Low Browser crash with extension with missing key.
• High Crashing when printing in PDF event handler.
• Low Handle merging of autofill profiles more gracefully.
• [Mac only] Low Work around a crash in the Mac OS 10.5
• Low Browser crash with bad volume setting.
• Critical Race condition in audio handling.

The Google Chrome blog details the new features that have been added to the stable channel:

• WebGL is now supported in Google Chrome stable. It is a “new technology which brings hardware-accelerated 3D graphics to the browser”.
• Chrome Instant will load frequently visited web pages as soon as the user begins to enter the url into the address bar.
• The Chrome Web Store is now open toa ll Chrome users in the United States.

Google Chrome stable users can update the browser from within. They need to click on the wrench icon in the address bar and select About Google Chrome from the available options.

New users should consult our Where Can I Download The Different Google Chrome Builds? guide.

One of the biggest issues can be brought down to the following four words: Http bad, https good. Most web connections are http connections which is fine as long as no important or private data is transferred. Data in this regard can be anything from username and passwords to financial documents or a private message to a friend at a website.

Users in the same network can spy on the traffic but only if the connections are made via http. Https connections on the other hand are encrypted which more or less protects the information from man in the middle attacks and users in the same network.

SaferChrome is a security extension for Chrome that aids the user by offering additional protection against man in the middle attacks. The extension notifies the user whenever login information will be sent in the clear.

This helps detecting site that don’t use SSL or use it incorrectly. It also helps preventing SSL strip attack that rewrite the form action to trick you into sending your password over HTTP rather than HTTPS.

The extension displays a warning notification at the top and an icon in the address bar. A click on the icon opens a detailed report about the website and the problems the extension has detected.

The extension furthermore offers to redirect http traffic to https. This may not work on all sites but can be easily undone.

Users who visit websites with problems have the option to force https to see if this resolves the security issue or contact the webmaster manually to request that it will be fixed. The extension helps users identify websites with improper security.

Safer Chrome is available for download at the Chrome repository.

The Chrome blog lists 16 different vulnerabilities that have been fixed in the new version of which one received the highest rating critical and 13 of high. The researcher who discovered the critical vulnerability has received the first “elite” Chromium Security Reward which comes with a $3133.7 payment.

The list of fixed vulnerabilities:

• [58053] Medium Browser crash in extensions notification handling. Credit to Eric Roman of the Chromium development community.
• [$1337] [65764] High Bad pointer handling in node iteration. Credit to Sergey Glazunov.
• [66334] High Crashes when printing multi-page PDFs. Credit to Google Chrome Security Team (Chris Evans).
• [$1000] [66560] High Stale pointer with CSS + canvas. Credit to Sergey Glazunov.
• [$500] [66748] High Stale pointer with CSS + cursors. Credit to Jan Tošovský.
• [67100] High Use after free in PDF page handling. Credit to Google Chrome Security Team (Chris Evans).
• [$1000] [67208] High Stack corruption after PDF out-of-memory condition. Credit to Jared Allar of CERT.
• [$1000] [67303] High Bad memory access with mismatched video frame sizes. Credit to Aki Helin of OUSPG; plus independent discovery by Google Chrome Security Team (SkyLined) and David Warren of CERT.
• [$500] [67363] High Stale pointer with SVG use element. Credited anonymously; plus indepdent discovery by miaubiz.
• [$1000] [67393] Medium Uninitialized pointer in the browser triggered by rogue extension. Credit to kuzzcc.
• [$1000] [68115] High Vorbis decoder buffer overflows. Credit to David Warren of CERT.
• [$1000] [68170] High Buffer overflow in PDF shading. Credit to Aki Helin of OUSPG.
• [$1000] [68178] High Bad cast in anchor handling. Credit to Sergey Glazunov.
• [$1000] [68181] High Bad cast in video handling. Credit to Sergey Glazunov.
• [$1000] [68439] High Stale rendering node after DOM node removal. Credit to Martin Barbella; plus independent discovery by Google Chrome Security Team (SkyLined).
• [$3133.7] [68666] Critical Stale pointer in speech handling. Credit to Sergey Glazunov.

It is recommended to update the web browser as soon as possible to protect it and the underlying operating system from possible exploits. Chrome users can either check for updates by clicking on the Wrench icon and selecting About Google Chrome or visit the official download page to download the latest Google Chrome version.

Browser developers have recognized the danger, and have started to offer solutions. Mozilla was one of the first with their Mozilla Plugin Check, which checks the installed browser plugins after each Firefox update. The plugin check website can be accessed manually as well to check plugins not only in Firefox but all web browsers at any time. The implementation has its flaws though, as it will not warn users the moment their plugins become outdated, but only if they access the site manually or after updates.

A new Chrome Labs tool has become available in today’s Google Chrome Dev release that proposes a better solution. Disable outdated plug-ins will automatically disable plugins with known security vulnerabilities and offer update links for them.

This seems to suggest that plugins will only be disabled if an update is available, and not if a security vulnerability has been discovered and a patch is in the making.

Still, this ensures that plugins will be disabled in the Chrome web browser as soon as the plugin developer releases a new version of the plugin. Google is not offering a list of supported plugins, and it is not clear yet how many plugins are supported by the feature. It is however very likely that the most common plugins are supported.

Chrome’s implementation decreases the time it takes to notify the user about outdated plugins. While it is still not a 0-second defense, it offers reasonable protection and gets rid of outdated plugins on user systems.

An option to disable plugins based on security notifications would be the logical next step. This would block plugin vulnerabilities completely, providing that the security notifications are processed in a timely manner.

A total of nine different security issues have been fixed in both browser versions, of which one has been rated critical and six as high.

• High Use-after-free when using document APIs during parse.
• High Use-after-free in SVG styles.
• High Use-after-free with nested SVG elements.
• Low Possible browser assert in cursor handling.
• High Race condition in console handling.
• Low Unlikely browser crash in pop-up blocking.
• Critical Fix bug 45400 properly on the Mac.
• High Memory corruption in Geolocation.
• High Memory corruption in Khmer handling.
• Low Failure to prompt for extension history access.

The new versions can be updated from within the browser, by clicking on the Wrench icon in the header bar, and then on About Google Chrome.

Another option is to download the latest version of the web browser from the official download channels, which are accessible here (for Chrome Stable) and here (Chrome Beta)

In other news: Today is the day that the Internet Explorer 9 Beta will be released to the public. Interested users can tune in to a web cast at 10:30 PST to learn about the new features in Internet Explorer 9.

Stable version updates on the other hand affect the majority of Chrome users, who are running this version of the browser.

Today’s stable channel update brings the Chrome version to 5.0.375.127 on Windows, Mac and Linux.

The security update fixes several vulnerabilities in the web browser, among them two with a severity rating of critical, the highest possible rating. Six of the remaining seven vulnerabilities are rated as high, and the last one as medium.

• Critical Memory corruption with file dialog.
• High Memory corruption with SVGs.
• High Bad cast with text editing.
• High Possible address bar spoofing with history bug.
• High Memory corruption in MIME type handling.
• Critical Crash on shutdown due to notifications bug.
• Medium Stop omnibox autosuggest if the user might be about to type a password.
• High Memory corruption with Ruby support.
• High Memory corruption with Geolocation support.

Chrome stable users are asked to update their web browser immediately to protect the browser and computer system from possible exploits.

Updates are as usually available at the official Google Chrome website, and via the About Google Chrome menu in the browser itself.

The script blocking options in the Google Chrome browser on the other hand are still very limited, which can be attributed to the architecture of the web browser according to the NoScript developer.

While it is possible to block plugins and JavaScript for all pages, and even enable them on some, it is not possible to block or enable scripts selectively.

Click To Play is a step in the right direction. Users with plugins blocked for all websites, can for instance use click to play to enable Flash selectively. Youtube videos are blocked in this configuration on page load, but can be activated and played with the click of the mouse.

That’s very comfortable as it saves bandwidth and increases the security in the web browser.

Click to Play has been recently added to the dev version of the Chrome browser. It has to be enabled with the command line switch --enable-click-to-play.

Plugins need to be blocked in Google Chrome for Click to Play to become useful. This is done by clicking on the Wrench icon and selecting Options from the menu.

Switching to the Under the bonnet tab and clicking on the Content Settings button opens the configuration menu. Plugins can be blocked in the Plug-ins submenu by selecting “Do not allow any site to use plug-ins”.

Sites that should not be affected by the plugin blocking can be whitelisted under Exceptions, so that all plugins are loaded normally on page load.

block plugins chrome

Every web page that tries to load a plugin will display information that the plugins were blocked on the page.

chrome click to play

A click on run plug-in this time will load the plugin. In the case of Youtube, play the video on the site.

Google Chrome indicates blocked plugins in the address bar as well. The new icon can be used to whitelist the domain, so that it is automatically added to the exceptions list.

google chrome plugins

Click to play is a step in the right direction. If the developers would only add that option for all scripts on a page, not only plugins. Still, it is an improvement over previous behavior.

Expect the new click to play functionality to be added soon in the beta and stable releases of the Google browser as well.

But the fear is only one side of the medal. Users who are careless about the installed plugins are benefiting immensely from the internal plugins. They personally do not have to follow the latest security announcements to update their plugins the second a new update is issued, Google does that for them.

Chrome users who prefer not to use the internal plugins can disable them easily.

The Chrome developers have added another powerful weapon to the web browser; Plugin controls that can be used to allow plugins only on whitelist domains, trusted domains that the user added to the browser.

The plugins will simply not work on other websites if configured correctly. That’s beneficial to users who need Flash or another plugin on a handful of sites only.

Google does not stop here, several interesting additions to Chrome’s plugin handling have been announced at the official Chromium Blog.

Google Chrome will protect the users from outdated plugins. It will simply refuse to run them and aid the user in updating the plugins so that they can be used again in the web browser. It is not clear how the plugin database will be maintained, it is however unlikely that all plugins available worldwide are listed in it. It is likely that the most popular plugins are maintained in the database.

Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).

A second interesting feature is the ability to warn users of plugins that have been infrequently used in the past. Some plugins are installed by software or the user and never used in the web browser. Chrome will warn the user about those plugins so that they can be deactivated in the plugin manager.

Warning before running infrequently used plug-ins: Some plug-ins are widely installed but typically not required for today’s Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition

Those two additions can be very helpful and it is likely that other browser developers will offer those features in their browser eventually as well. Mozilla has already started to inform users about outdated plugins during updates.

Google Chrome Stable is the official Google browser offered to the public, while Google Chrome Beta and Google Chrome Dev are offered to tech enthusiasts and developers.

The update raises the stable version of Google Chrome to 5.0.375.70.

A total of eleven security issues have been fixed of which nine have received a severity rating of high and two of medium.

• Medium Cross-origin keystroke redirection.
• High Cross-origin bypass in DOM methods.
• High Memory error in table layout.
• [Linux only] High Linux sandbox escape.
• High Bitmap stale pointer.
• High Memory corruption in DOM node normalization.
• High Memory corruption in text transforms.
• Medium XSS in innerHTML property of textarea.
• High Memory corruption in font handling.
• High Geolocation events fire after document deletion.
• High Memory corruption in rendering of list

markers.

Chrome users who are working with the stable version of the web browser are asked to update their browser immediately to protect it against exploits targeting the security issues. The update can be started by clicking on Tools > About Google Chrome.

Update: Google Chrome Dev has also been updated.

The browser was updated to Google Chrome 4.1.249.1064 fixing two bugs and three security issues in the process. One bug affected the JavaScript performance of the browser while the other reported an incorrect path for the Java plugin.

The security vulnerabilities have all received a high rating which is the second highest security vulnerability rating.

High Cross-origin bypass in Google URL (GURL).
High Memory corruption in HTML5 Media handling.
High Memory corruption in font handling.

Google Chrome users who are still running the stable channel on Windows are encouraged to update the web browser as soon as possible to fix the security issues and bugs.

It is possible to install the update directly in Chrome by clicking on the Tool icon in the main toolbar and then About Google Chrome. Users who prefer to download the latest version can do so at the official Google Chrome website.

A total of seven security vulnerabilities have been fixed in the release of which four have been classified as high and three as normal.

[$500] [39443] High Type confusion error with forms. Credit: kuzzcc.
[39698] High HTTP request error leading to possible XSRF. Credit: Meder Kydyraliev, Google Security Team.
[40136] Medium Local file reference through developer tools. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
[40137] Medium Cross-site scripting in chrome://net-internals. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
[40138] High Cross-site scripting in chrome://downloads. Credit: Robert Swiecki, Google Security Team; Tavis Ormandy, Google Security Team.
[40575] Medium Pages might load with privileges of the New Tab page.
[$500] [40635] High Memory corruption in V8 bindings. Credit: kuzzcc; Google Chrome Security Team (SkyLined); Michal Zalewski, Google Security Team.

Chrome users running a stable version can update the web browser by checking for updates in the About Google Chrome page after clicking on the tools icon in the browser’s toolbar. Users who want to try out the Chrome browser can download the latest version from the official website.

The Google Chrome Releases blog lists a total of nine security vulnerabilities that have been fixed in the latest stable release of the web browser.

High Race conditions and pointer errors in the sandbox infrastructure.Credit to Mark Dowd, under contract to Google Chrome Security Team.

Low Delete persisted metadata such as Web Databases and STS.Credit to Google Chrome Security Team (Chris Evans) and RSnake of ha.ckers.org.

Medium HTTP headers processed before SafeBrowsing check.Credit to Mike Dougherty of dotSyntax, LLC.

High Memory error with malformed SVG.Credit to wushi of team509.

High Integer overflows in WebKit JavaScript objects.Credit to Sergey Glazunov.

Medium HTTP basic auth dialog URL truncation.Credit to Google Chrome Security Team (Inferno).

Medium Bypass of download warning dialog.Credit to kuzzcc.

High Cross-origin bypass.Credit to kuzzcc.

High Memory error with empty SVG element.Credit to Aki Helin of OUSPG.

Google is still running the monetary compensation program for developers who find security vulnerabilities in the web browser.

The developers have also disabled the experimental anti-reflected-XSS feature called “XSS Auditor” in this release as it caused serious performance issues in some rare cases.

The latest version of Google Chrome can be downloaded directly from the official Google website.

Google Chrome 4 fixes 13 security vulnerabilities that affect previous versions of the web browser. Six of the vulnerabilities have been rated as high by the security team which usually indicate vulnerabilities that allow an attacker to take control of the computer system.

* [3275] Low Pop-up blocker bypass. Credit to Google Chrome Security Team (SkyLined).
* [9877] Medium Cross-domain theft due to CSS design error. Credit to Chris Evans of the Google Security Team.
* [12523] Medium Browser memory error with stale pop-up block menu. Credit to Jacob Balle and Carsten Eiram, Secunia Research.
* [20450] Low Prevent XHR to directories. Credit to the Chromium development community.
* [23693] Low Escape more characters in shortcuts. Credit to Michal Zalewski of the Google Security Team and, independently, Inferno of SecureThoughts.com.
* [8864] [24701] [24646] High Renderer memory errors drawing on canvases. Credit to Michal Zalewski of the Google Security Team and Google Chrome Security Team (SkyLined).
* [28566] High Image decoding memory error. Credit to Robert Swiecki of the Google Security Team.
* [29920] Low Corner case failure to strip Referer. Credit to the Chromium development community.
* [30660] High Cross-domain access error. Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services.
* [31307] High Bitmap deserialization error. Credit to Mark Dowd, under contract to Google Chrome Security Team.
* [31517] Low Browser crash with nested URL.

Users running a previous version of the Google Chrome web browser – which can either be a release version of a developer version that has not been updated yet – are encouraged to either update to the stable version that has been released by Google to the public or to the latest dev versions that do not contain the security vulnerabilities as well.

The stable version can be downloaded from the official Google Chrome website (only available for the Windows operating system).

Additional differences become apparent in the web browser plugin development and availability. Some browsers offer thousands of plugins while others only a handful. Plugins can be a very effective way of adding additional protection to the web browser. This article is about the top 5 security plugins for the most popular web browsers. If you know of a plugin that is missing in the list let us (and everyone else) know about it in the comments.

Mozilla Firefox

No Script – The one add-on that many security experts do not want to live without. No Script can block script execution on websites. It does so on all websites by default with the option to enable specific scripts temporarily or permanently. The add-on can prevent script based attacks (most of them are) if used correctly.

Last Pass – The password manager for Firefox. It can generate and remember secure passwords, fill out forms and even auto login the user into websites. The three important security related features are secure password generation, password storing and auto login. Secure passwords have the weakness that they are hard to remember. It is simply easier to remember 123456 than f&z_cU!;re4xZ especially if you consider that unique passwords should be used one every website. With Last Pass users get unlimited secure passwords with the need to only remember the master password. The auto login feature can be very effective against phishing attacks as it won’t work on phishing websites that use a different url than the original.

No Redirect – A versatile add-on that handles several things at once. It will reveal the destination url of short url services and prevent that Internet providers and other companies use DNS hijacks to show their (search pages). This does happen for instance with many major ISPs if the user mistypes a domain extension.

Link Extend and Web of Trust – Link Extend and Web of Trust provide a similar functionality. They provide website ratings to inform the user about potentially dangerous websites. Both display ratings in major search engines but also in a toolbar for the active page.

CS Lite – Cookie permissions on a per-site basis. Allows the user to block or allow cookies permanently or temporarily.

Backup: Febe Firefox Backup. It is always a good idea to create regular backups to be prepared when data gets corrupted or deleted. Febe is a Firefox add-on that can backup all profile data of the web browser including bookmarks, settings, extensions and passwords.

Google Chrome

Last Pass – The Last Pass password manager is also available for the Google Chrome web browser. Extension support is currently only available for dev releases of the Google browser. The functionality on the other hand is similar to that of the Firefox add-on. It is possible to generate passwords, store them and use the auto login feature.

Flash Block – This is the closest to the No Script Firefox add-on. Flash Block will only block Flash content but not other script related objects.

McAfee Site Advisor bookmarklet – There are not many Google Chrome extensions yet. Bookmarklets try to close that gap by allowing all Google Chrome users – and not only those that use a dev version – to make use of additional features. This bookmarklet will display McAfee Site Advisor ratings when executed. Comparable to Wot or Link Extend with the difference that it has to be executed manually.

Adsweep and Adblock+ – Two options to disable most advertisement that is displayed on websites. These add-ons are more about the annoying objects on websites and less about security. They can however be helpful in situations were rogue ads are displayed that spread malware.

Backup: Fav Browser – Fav Browser 2 can backup and restore all settings of Google Chrome 2, 3 or 4.

Internet Explorer

Last Pass – Did we mention that we love Last Pass? The password manager is available as a plugin for Microsoft’s Internet Explorer. It offers the same functionality on all supported web browsers including password generation and secure storage of passwords.

Web of Trust or Trend Protect – Both display ratings for the active websites and websites that are listed in the major search engines (Google Search, Yahoo Search, MSN). They can be used as an indicator if a site’s potentially dangerous to visit.

IE7 Pro – A great plugin for Internet Explorer (not only 7 but also Internet Explorer 8) that offers ad blocking and many additional features. It comes closes to the No Script Firefox add-on. The ad blocker includes a Flash Blocker. Another interesting module is userscript support which can be also beneficial to security.

Backup: Fav Backup – You can use the tool to backup and restore Internet Explorer profile settings.

Only four for Internet Explorer. Do you know of additional Internet Explorer security add-ons? Let us know in the comments.