boot13Chrome 43.0.2357.132 was announced today. There’s not a lot of information about the new version in its release notes, but the detailed change log shows that it’s mostly a bug fix release. None of the fixes appear to address security issues.
Category Archives: Google
Is Chrome spying on you? Nope.
This past week there was a lot of noise on the web about Google sneakily installing an extension into Chrome that spies on you via your computer’s microphone.
There are several aspects to this story. First, Google did indeed automatically update installs of both Chrome (its closed-source web browser) and its open-source cousin Chromium, with an extension called Hotword. Note that both browsers are designed to update themselves automatically, so this isn’t anything new. But it seemed a bit sneaky in that Hotword is an extension, and as such, a) should probably only be installed after getting confirmation from the user; and b) should show up in the browser’s list of installed extensions.
Google explained this by pointing out that some Chrome/Chromium extensions are ‘component’ extensions, and these are handled more as core components of the browser than as extra add-ons. And Hotword was designated as a ‘component’ extension.
Second, people using the open source Chromium were particularly dismayed that the browser was updating itself with code that was itself not available for review (i.e. not open source). This concern was understandable, and Google’s response was to stop installing Hotword automatically on Chromium.
Third, there was some evidence of a bug in Hotword that could allow third parties (i.e. not the user, and not Google) to use Hotword to listen to users. A demonstration of this seems to bear out this claim, but at this point it’s not clear whether there is any basis for a serious privacy concern. I’ll post more about this as things progress.
It’s important to note that the Hotword extension is not enabled by default. Even if you’re using Chrome, and Hotword is installed automatically, it won’t do anything until it’s enabled. More about that below.
Background
As you may be aware, there’s a big push on to get voice control into the mainstream. For years, we’ve seen people in SF movies talking to their computers and thought it was pretty neat. The technology for actually doing this is finally here, and it’s being added to everything, starting with our mobile devices: iPhones have Siri, Windows phones have Cortana, and so on. Microsoft is pushing Cortana into Windows on PCs now as well, in Windows 10.
Google has been experimenting with voice recognition for its search site and in Chrome for some time now. The Hotword extension is just Google’s latest improvement. Once installed in Chrome/Chromium, the browser provides various indications about its status. Visiting the main Google search page, or just opening a new tab (which shows the Google search interface by default) will now show ‘Say “Ok Google”‘ at the far right of the search prompt. There’s also a microphone icon, which has actually been there for a while.
As long as Hotword is disabled, saying ‘Ok Google’ displays a dialog that says ‘Voice search has been turned off’. You’ll also notice a camera icon – with a red line through it – in the address bar. To enable Hotword, click the camera icon and select ‘Always allow google.* to access your microphone’. Now, when you’re on the Google search page and say ‘Ok Google’, the browser will start listening for your commands. If you don’t want to enable Hotword, but want to use voice commands, just click the microphone icon.
Note: if you switch away from the Google search tab, Hotword stops listening.
Legitimate concerns?
Here’s where some of the privacy concerns may perhaps be legitimate. Even if Hotword is disabled, Chrome is clearly still listening to you, even if it: a) ignores everything you say except ‘Ok Google’, and b) will only tell you that voice activation is disabled when you say ‘Ok Google’. It’s extremely unlikely that Google has any malicious intent here. They are simply trying to make voice control seamless.
For example, I have Cortana on my Windows phone (please keep your snickering to a minimum) and although I don’t use it much, it’s particularly handy for choosing music to play. I love being able to ask Cortana to play a particular song or artist when I’m in the car. There’s just one problem: to get Cortana to listen, I have to press a button on the phone. Microsoft is working on a ‘Hello Cortana’ feature that will allow users to get Cortana’s attention without needing to pick up the phone. Certainly this feature isn’t for people who worry about their privacy, but for the rest of us, it’s just going to be very handy.
General paranoia about Google
There’s a general feeling of distrust towards Google, and it seems to be growing. Google’s spectacular success, and their financial power, make it easy to think of them as just another huge corporation trying to run our lives. Google has certainly made their share of mistakes, and some of that distrust is perhaps warranted. But I think people get carried away with this. Sure, Google wants to make money from us, mostly in the form of advertising. But aside from that, I truly believe that they are just trying to provide excellent products and services. And I think they’re doing a remarkable job.
Chrome 43.0.2357.130 fixes at least four security issues
A new version of Chrome was announced yesterday. Version 43.0.2357.130 is a bug fix release, and includes fixes for four security vulnerabilities.
Big web performance boost expected with WebAssembly
Javascript is the universal programming language of the web. Almost all web sites use it to some extent, including this site (boot13). Although many users (including myself) use Noscript and similar systems to block Javascript when browsing unfamiliar sites, it’s difficult to use many popular sites without it. For example, I spend a lot of time using Google Analytics, and I’ve configured Noscript to allow JavaScript code to run on that site.
One of the problems with JavaScript is that it’s a scripted language. That means your web browser has to parse JavaScript code, one line at a time. This is a very slow process, and contributes to slow loading times on many major sites.
Various efforts to speed up JavaScript have come and gone, without much traction. Now, several major software developers have teamed up to try again. A new JavaScript assembler called WebAssembly (aka wasm) is under development by Mozilla, Microsoft, Google, and Apple. It’s too soon to know exactly when WebAssembly will start appearing in web browsers, but we’re hopeful that it will become the new standard when it does.
Chrome gets latest Flash in 43.0.2357.124
Version 43.0.2357.124 of Google’s web browser was released today. The new version doesn’t include any changes or fixes aside from the new version of Flash.
Chrome 43.0.2357.81 released
On Monday Google announced a new version of Chrome, 43.0.2357.81. This version does not appear to include any security fixes, but it does fix two minor display issues.
Chrome 43.0.2357.65 fixes 37 security issues
Numerous security vulnerabilities were addressed in the latest release of Google’s web browser, Chrome. If you use Chrome, it should update itself automatically to version 43.0.2357.65.
Google’s efforts to clean up ad injection on the web
A recent post on the Chrome blog discusses Google’s recent efforts to clean up the growing problem of ad injection on the web.
From the post: “Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web.” If you’re seeing a lot of advertising on all the sites you visit, and much of it seems unrelated to the site, your computer may be running one or more ad injectors.
Ad injectors are unwanted software that is surreptitiously installed on victims’ computers through a variety of tricks, including “marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns.”
The ad injection ‘ecosystem’ is complex, and at any given time there are thousands of injection campaigns affecting web surfers.
To combat this problem, Google has identified and removed 192 apps – identified as contributing to ad injection systems – from the Chrome Web Store. Improvements in the Chrome Web Store and Chrome itself help to protect against ad injection software. And Google is reaching out to advertising networks, to assist them in eliminating ad injection. Most importantly, Google’s AdWords network policies have been tweaked, to make it more difficult for the perpetrators of ad injection schemes to promote malicious software.
Security updates for Adobe Flash and Reader
Updates for Flash and Reader/Acrobat, released earlier today by Adobe, address a variety of security vulnerabilities “that could potentially allow an attacker to take control of the affected system.”
Flash 17.0.0.188 includes fixes for at least eighteen vulnerabilities, all of which have been flagged as Critical.
Adobe Reader/Acrobat version 11.0.11 addresses seven Critical vulnerabilities.
Anyone still using Flash in a web browser should update Flash as soon as possible. If you use Adobe Reader to open PDF files from unknown sources, you should update Reader as soon as possible. As usual, newer versions of Internet Explorer will auto-update, as will Chrome (to version 42.0.2311.152).
Google pushing for mobile-friendly web sites
Google wants the web to be easier to view on mobile devices. To encourage web site owners to make their sites mobile-friendly, Google is now ranking mobile-unfriendly sites lower on mobile searches.
In other words, if you run a web site that fails to meet Google’s mobile-friendly requirements, that site will now appear lower down in Google’s search results, when the search is performed on a mobile device.
There’s no reason to panic, however. Mobile-friendliness is only one of numerous factors that determine where a site ranks in Google search results.