Only one of the security fixes is for a critical hole: a crash in tab handling vulnerability in Linux, related Google in its security advisory. Six fall into the high-risk category, and the rest are low to medium-risk bugs.
The high-risk bugs include integer overflows in PDF viewer, out-of-bounds writes in PDF viewer, buffer overflow in WebP decoder, and a number of use-after-free flaws.
Google was 'thrifty'' with the bug bounties, handing out only $2,000–$1,000 each to Arthur Gerkis and Juri Aedla. Many of the bugs were detected using the AddressSanitizer.
“We’d also like to thank Drew Yao, Braden Thomas, and Jim Smith (all Apple Product Security), Kostya Serebryany of the Chromium development community, Atte Kettunen of OUSPG and Bernhard Bauer of the Chromium development community for working with us during the development cycle and preventing security regressions from ever reaching the stable channel”, enthused Google.
In addition, Google included two new application programming interfaces (APIs) in Chrome 21: the getUserMedia API and the Gamepad Javascript API, explained Tommy Widenflycht, Google software engineer, in a blog.
The getUserMedia API lets users grant web apps access to their camera and microphone without a plug-in. “This is the first step in enabling high quality video and audio communication as part of WebRTC, a powerful new real-time communications standard for the open web platform”, Widenflycht explained.
The Gamepad Javascript API helps developers access input from a standard gamepad connected to the user’s machine, “creating a richer gameplay experience with these controllers”, he added.