Chrome 28 with new Blink engine and Rich Notifications


Google has released the stable version 28 of its Chrome browser. It is the first version to use the new Blink engine for rendering web pages and it appears that the new engine will allow web pages to be loaded about ten per cent faster. The developers say that the increased speed is also thanks to the new threaded HTML parser, which frees up the JavaScript thread, allowing DOM content to be displayed faster. The HTML parser also takes fewer breaks, which is said to result in time savings of up to 40 per cent. Another contributor to the faster working speed is the optimized V8 JavaScript engine.

Rich Notifications are another new Chrome feature. Chrome already supported basic notifications, but with the new notifications users can be shown, and can interact with, tips and information outside of the browser. For example, a pop-up window in the Windows task bar can inform users when a new email arrives. Notifications can contain pictures, buttons and URLs as well as text. The notifications are handled by a notification center outside the browser, which not only allows the information to be displayed without a running browser but also serves as somewhere a user can consult to see what notifications they have missed.

Chrome’s new Rich Notifications in action
Source: Google

Rich Notifications replace HTML-based notifications in the Chrome extensions: HTML-based notifications are no longer supported in version 28. Comprehensive instructions for developers are available. At the moment, Rich Notifications only work in Chrome OS and Windows – support for Mac OS X and Linux is said to be coming.

Version 28 also closes various security holes including a richly rewarded use-after-free issue with network sockets and a well-rewarded fix to a HTTP/SSL man-in-the-middle attack. Other rewarded bugs included two use-after-free issues in input handling and resource loading, plus an out-of-bounds read in SVG, all found by Chrome bounty regular miaubiz, a screen data leak through GL textures with Windows and NVIDIA cards, and a lack of entropy in renderers.

The updated browser is available to download for Windows, Linux and Mac OS X or, for existing users, will arrive automatically. Chrome has also seen its Flash player updated to version 11.8.800.97 as noted in Adobe’s patch day.

Opera Switches to WebKit and Chromium

After many years of dealing with site compatibility issues, Opera found the solution: it will switch from its proprietary rendering engine (Presto) to WebKit and will be powered by Chrome’s open source version, Chromium.

“Presto is a great little engine. It’s small, fast, flexible and standards compliant while at the same time handling real-world web sites. It has allowed us to port Opera to just about any platform you can imagine. (…) It was always a goal to be compatible with the real web while also supporting and promoting open standards. That turns out to be a bit of a challenge when you are faced with a web that is not as open as one might have wanted. Add to that the fact that it is constantly changing and that you don’t get site compatibility for free (which some browsers are fortunate enough to do), and it ends up taking up a lot of resources – resources that could have been spent on innovation and polish instead,” explains an Opera employee.

“For all new products Opera will use WebKit as its rendering engine and V8 as its JavaScript engine. It’s built using the open-source Chromium browser as one of its components. Of course, a browser is much more than just a renderer and a JS engine, so this is primarily an ‘under the hood’ change. Consumers will initially notice better site compatibility, especially with mobile-facing sites – many of which have only been tested in WebKit browsers. The first product will be for Smartphones, which we’ll demonstrate at Mobile World Congress in Barcelona at the end of the month. Opera Desktop and other products will transition later,” mentions Bruce Lawson.

The problem with Opera is that it has a low market share on the desktop (about 1-2%) and not many web developers bother to test their sites in Opera. Google’s sites have always had issues in Opera and most Google web apps don’t officially support Opera (check the system requirements for Google Drive). Gmail’s help center actually mentions that “We don’t test Opera, but believe it works with all of Gmail’s features.” Probably Google doesn’t want to allocate resources for testing sites in a desktop browser that’s not popular, but it has a completely different rendering engine.


In a perfect world, browsers and sites would just follow the standards and everything would work well, but it takes time to create the standards and browsers implement their own version in the meanwhile. Not to mention that browsers have all kinds of quirks.

Google launched Chrome in 2008 and one of the reasons why it chose WebKit was that “we knew we didn’t want to create yet another rendering engine. After all, web developers already have enough to worry about when it comes to making sure that all users can access their web pages and web applications.”

WebKit started in 2001 as an Apple fork of KDE’s KHTML engine, it was used to build Safari, a few years later it was open sourced and Nokia ported WebKit to Symbian. WebKit is now the most popular mobile rendering engine, since it powers Safari Mobile and all iOS browsers (other than thin clients like Opera Mini), Android’s stock browser, Chrome for Android and many other mobile browsers. WebKit’s combined market share is now more than 40%, according to StatCounter and Wikimedia’s stats.

Credit: Google Operation System blog

Google updates all Chrome editions

new-chrome-logoh-online: Google has updated the Stable, Beta and Developer Channels of the desktop version of its Chrome browser with a number of bug fixes and improvements. The Stable Channel update closes seven security vulnerabilities, three of them rated High, and includes bug fixes. New stable Chrome versions for iOS and Android have also been released and include minor improvements. The iOS version of the browser now supports Apple’s Passbook application.

The update to the Stable version of Chrome for Windows, Mac OS X, Linux and Chrome Frame (for running Chrome inside of Internet Explorer) brings it to version 23.0.1271.91. The update closes a security vulnerability in the Mac OS X version of the browser that is caused by a severe rendering bug with the operating system’s driver for Intel graphics cards. This problem was rated by Google as High priority, as was a buffer underflow problem in libxml and a use-after-free bug in the browser’s SVG filters, which have also been fixed.

The Beta Channel of Chrome for Windows, Mac OS X, Linux and Chrome Frame has been updated to version 24.0.1312.25, which includes a number of bug fixes for running applications within the browser, fixes stability issues, and solves two problems with the taskbar in Windows 8. The Beta version of Chrome for Chrome OS is now 23.0.1271.94; the update improves network stability and updates the included Pepper Flash plugin.

In the Developer Channel, Chrome for Windows, Mac OS X and Chrome Frame has been updated to version 25.0.1337.0 which includes a number of fixes and improvements, most noticeably improvements to the Live Tiles functionality for Windows 8 and bug fixes for Flash on Mac OS X. Chrome for the Chrome OS Developer Channel is now at version 25.0.1324.1, which includes a firmware update.

Chrome for iOS has been updated to version 23.0.1271.91 which has introduced the ability to open PDFs in other applications and enables users to save their airline boarding passes and tickets in Apple’s Passbook. The update also brings some security and stability improvements. Chrome for Android is now at version 18.0.1025469 on ARM and version 18.0.1026322 on x86 devices; both updates fix stability issues.

An overview over the different desktop Chrome release channels and platform is available from the Chromium Project, the open source upstream of Chrome. The listing includes download links for the different versions of the browser. All versions of Chrome should update themselves automatically; on some mobile platforms the user will be prompted to perform the update.


Chrome 21 arrives with new API for video and audio communication

new-chrome-logoh-online: With the release of Chrome 21, web applications can now directly access the local system’s built-in camera and microphone. Instead of requiring a special plugin, the major stable update to the WebKit-based web browser includes a new HTML5 getUserMedia API – currently a W3C Editor’s Draft – to provide web apps with access to the camera and microphone. For security purposes, users will be prompted to grant apps permission to access the hardware.

Google Software Engineer Shijing Xian says that the new release is Chrome’s “first step” towards implementing the Web Real Time Communication (WebRTC) standard, which enables browsers to use JavaScript to control real-time communications. The addition of the getUserMedia API support also enables functionality such as motion detection and real-time video effects – one demo, from StinkDigital, lets users play a xylophone by waving their hands, while another web app called HTML5 Webcam Toy uses WebGL fragment shaders (GLSL) to apply real-time special effects to a live camera video feed.

chrome-permissionBefore accessing a user’s built-in camera and microphone in Chrome, web apps must first get the user’s permission

Other changes include the addition of a Gamepad JavaScript API that enables game controllers to be used with web-based games, and improvements to Google’s Cloud Print technology, which lets users to print over the web from PCs, smartphones and tablets. On Mac OS X systems, Chrome 21 now supports the new Retina display (HiDPI) in Apple’s latest MacBook Pro laptop.

Version 21 of Chrome also closes a total of 26 security holes in the browser. These include integer overflows, use-after-free errors and out-of-bounds writes in the PDF viewer, as well as a use-after-free problem in CSS DOM, and a buffer overflow in the WebP image format decoder, all of which are rated as “high severity” by the company. A critical vulnerability in tab handling and a medium-severity cross-process interference problem in renderers that affect Linux systems have also been corrected.

A full list of security fixes can be found in a post on the Google Chrome Releases blog. Chrome 21 is available to download from for Windows, Mac OS X and Linux; existing users can upgrade using the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

Chrome 20 update fixes high-risk security vulnerabilities

Google_Chrome_LogoGoogle has published a new update to the stable 20.x branch of Chrome to close a number of security holes in the WebKit-based web browser. Version 20.0.1132.57 of Chrome addresses a total of three vulnerabilities, all of which are rated as “high severity” by the company.

These include two use-after-free errors in counter handling and in layout height tracking that were discovered by a security researcher by the name of “miaubiz”. As part of its Chromium Security Vulnerability Rewards program, Google paid the researcher, who is number three in the company’s Security Hall of Fame, $1,000 for discovering and reporting each of the holes. A third high-risk problem related to object access with JavaScript in PDFs has also been corrected. As usual, further details about the vulnerabilities are being withheld until “a majority of users are up-to-date with the fix”. Other changes include stability improvements, and updates to the V8 JavaScript engine and the built-in Flash player plug-in.

Google also updated the Stable Channel of its ChromeOS operating system, currently available only on Samsung and Acer’s Chromebook notebooks, to version 20, just over two weeks after Google released the Chrome 20 browser on 26 June. ChromeOS 20.0.1322.54, based on the open source Chromium OS project, includes the security and stability improvements from Chrome, while also adding support for Google Drive, using Google Docs offline and other enhancements.

Chrome 20.0.1132.57 is available to download for Windows, Mac OS X and Linux from; existing users can upgrade via the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

Chrome 20 closes 23 security holes

new-chrome-logoGoogle has closed a total of 23 vulnerabilities with the release of Chrome 20. Of those vulnerabilities, 14 are rated critical, enabling attackers to execute code in the browser’s sandbox, among other things. Integer overflow vulnerabilities in the code for processing PDF files and Matroska containers (.mkv) have also been fixed. Chrome 20 also includes the latest version of Adobe’s Flash Player on Linux, using the new cross-platform Pepper API. In testing at The H, it was confirmed that the Flash Player support also works on 64-bit Linux systems.

Google has also embedded the “Chrome to Mobile” feature that was previously available as an extension; if the Google account that is registered with Chrome is also linked with an Android phone, the current web page can be forwarded to the smartphone by clicking on the mobile phone symbol in the address bar. This feature only works with a phone running the beta of Chrome for Android, which requires Android 4.0 or higher.

Chrome usually updates automatically in the background. Users can find out whether the current version has already been installed by clicking on the wrench icon and selecting “About Google Chrome”. If required, a manual update can be triggered this way.

Google releases security update for Chrome 19

new-chrome-logoH-Online: Google has announced an update to the stable version of Chrome, which brings the browser version to 19.0.1084.52 on Windows, Mac OS X and Linux. The update is a pure security update that does not include any new features – it closes nine vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating of “High” and fixes two problems labelled “Critical” as well as two “Medium” level issues.

Many of the vulnerabilities are due to bugs in Chrome’s memory handling, such as out-of-bounds reads and use-after-free conditions, and Google points out that several of them were detected with their AddressSanitizer tool. Other bugs were fixed in Chrome’s PDF handling code and its V8 JavaScript rendering engine.

Further details about the security vulnerabilities have not yet been released; this is to give the updates time to roll out to all affected users. Google did announce that it has paid out its signature amount of $1337 to a researcher who reported one of the critical vulnerabilities. Three $1000 bounties and one of $500 were also paid to three other individuals as part of Google’s bounty program for Chrome security vulnerabilities. The company has recently published a detailed account of exactly how these types of vulnerabilities are discovered and how they reward the researchers who report security issues in a responsible manner.

Chrome 19 released with tab syncing

new-chrome-logoThe H-Online: Google has announced that Chrome 19 is the new stable version of its open source based web browser. As usual, the browser sees a number of security fixes: this time there are seven high-severity fixes specifically for Chrome including various use-after-free and out-of-bounds errors. Two fixes with a wider impact than Chrome are also mentioned – a workaround for a Linux NVIDIA driver bug and an “off-by-one out-of-bounds” write in libxml. In all, $7500 was paid out in rewards to security researchers, and Google notes it has also paid out $9000 to researchers to stamp out bugs before they reached its stable channel.

There is only one major new feature in Chrome 19: support for synchronizing tabs between Chrome running on different systems signed in as the same Google user. To access the synchronized tabs, open a new tab and at the bottom of the new tab display is a menu item for “Other Devices” – selecting this displays the various devices and the tabs they have open. This tab synchronization also works with the current Chrome Android Beta, offering an alternative to the Chrome2Phone extension as a way to exchange URLs between desktop and mobile Chrome. Although the functionality for tab synchronization is already in the stable version, Google will only be gradually rolling out the supporting service over the next few weeks.

Google has also included an experimental version of Web Intents in the new stable version of Chrome. Web Intents are designed as a mechanism to allow web applications to work together without having explicit knowledge of the other web applications. Google has been working with Mozilla and at the W3C to develop a specification for the process. Services can register Intents to handle particular tasks. When a web application wishes to perform one of these tasks, with Web Intents it can query the browser to find an appropriate service and then call on that.

The announcement explains that “it’s impossible to build a complex API – especially one that requires an ecosystem of apps – without feedback from web developers using it in the wild”. The developers expect there will be significant, possibly backwards-incompatible, changes in the API as they get feedback. The API is currently prefixed to stop it being confused with whatever the final version of the API is, and intents must be registered at the Chrome App Store. Web application developers interested in Web Intents can consult “Web Intents in Chrome“.

Chrome 19 can be downloaded from Google’s page for stable Chrome. Existing users of the Chrome stable channel should be automatically updated to the new version. Chrome is based on Google’s open source browser Chromium.

Chrome 18 update closes high-risk security holes

new-chrome-logoThe H-Online: Google has released a new update to the stable 18.x branch of its Chrome web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses a total of five vulnerabilities, three of which are rated as “high severity” by the company.

These include use-after-free problems in floating point handling and the XML parser; all of these bugs were detected using the AddressSanitizer. As part of its Chromium Security Vulnerability Rewards program, Google paid a security researcher by the name of “miaubiz”, who is number three in the company’s Security Hall of Fame, $1,000 for discovering and reporting one of the float handling problems. Two medium risk problems related to IPC validation and a race condition in sandbox IPC have also been corrected.

Further information about the update can be found in the announcement post on the Google Chrome Releases blog. Chrome 18.0.1025.168 is available to download for Windows, Mac OS X and Linux from; existing users can upgrade using the built-in update function.

Google Chrome fixes seven high-risk vulnerabilities

new-chrome-logoThe H-Online: Google has announced updates to the Stable and Beta channels of their Chrome browser, fixing several bugs and twelve security vulnerabilities. Seven of the twelve security fixes were classed as high-risk problems and Google paid a total of $6000 to the researchers who discovered the bugs.

The update also includes a new version of the bundled Flash Player. Adobe have revised the Flash Player advisory from the end of March to include fixes for a Chrome/Flash only pair of memory corruption issues listed as CVE-2012-0724 and CVE-2012-0725. Given that these issues only affect Chrome and Chrome manages its own update, it is unlikely that Adobe will be reissuing or updating the advisory or patches for other browsers and platforms.

The seven high risk vulnerabilities are bugs that left several Chrome components open to being exploited by using memory after it had been freed. Many of these issues are detected using AddressSanitizer. The Chrome developers have also fixed several cross-origin problems and two issues where the browser could be exploited to read from memory where it shouldn’t. Details of these vulnerabilities are not available yet as Google usually gives the updates some time to roll out before it publishes further information. This is done to prevent attackers from reverse engineering the vulnerabilities before the updates have a chance to reach all affected systems.

Changes in this update that are not security-related include several graphics and HTML Canvas fixes. The developers have also remedied problems with CSS rendering and bugs in the browser’s UI.