Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Google Chrome's security fixes through auto-updater setup

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

This thread has been marked as locked.
mtodorov Google Chrome's security fixes through auto-updater setup
Member 27th Feb, 2014 11:00
Ranking: 12
Posts: 168
User Since: 20th Mar, 2009
System Score: N/A
Location: HR
Dear readers,

To continue from last thread which was sadly locked, I will explain latest findings about Google Chrome update:

- it is a "set it and forget it" mechanism
- it seems to require 10 minutes of idle time + one hour in idle time
to check and start browser update
- it works without having to start Chrome and selecting Wrench->About Google Chrome
- it works in unattended manner

As we are an educational institution with lectures in Graphic arts, it is essential for us to have IE, Mozilla Firefox, Google Chrome and Apple Safari on latest feature releases and with latest bug and security fixes. Include to this Adobe plugins browsers use like Chrome does (sorry for digression from Chrome thread.)

We may later decide to follow also Opera releases, but I will consult about this with other colleagues.

What was I trying to say?

Our labs often work without hole in schedule from 8 AM to 8 PM. I hope there will be enough time past 8 PM for computers to perform update of Chrome and other "set it and forget it" security fixes on browser release channels.

I have estimated there will be one two max two working days during semester in which labs will update to latest Google Chrome security fix. This is a problem only for zero-day Chrome exploits in the wild.

Thank you for attention. I am interested in other people's advice, practice and results.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><

Anthony Wells RE: Google Chrome's security fixes through auto-updater setup
Expert Contributor 1st Mar, 2014 13:24
Score: 2445
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi mt ,


Threads auto-lock after 7 days of inactivity or sometimes they are locked if they have been resolved . Support will unlock a thread for the OP on request (email) .

Your synopsis of Chrome silent update is pretty much spot on ; bearing in mind that each machine's foibles will cause some variations in timing(s) .

Secunia and Google - plus other suppliers/vendors - have always agreed that using the software/programme's internal updater is always first choice for least hassle updating , followed by the provider's website downloader and lastly any third party programme:eg: the PSI .

Chrome's silent auto-update was one of the first to be offered to users - amongst a lot of criticism . Initially , I was also sceptical but have grown to really like it and the PSI use of SPS updaters has never been shown to be as reliable , or any kind of improvement , often leaving old files in "stange/non-default" places . The old/previous version folder/files deliberately left behind are technically not available to the bad guys but many people delete it/them manually anyway , to be sure .

Chrome allow 3 days for all machines to "auto-update" by the Google Chrome "silent" updater before any "security" holes are publicised . Zero days are a moot point and any initial potential risk is minimum ; not patching or being aware of unpatched holes is where the real problem(s) lie(s) and is the real target for the bad guys .

I have had Chrome start updating when it was already open - especially when in Sandboxie - and it is best to close the browser when this happens . In this case (on my ancient XP) Setup.exe is the main process running and can use up to 50% CPU on one core with Google update.exe popping in and out .

Mozilla Firefox now offer the same/similar "auto-update" facility ->Tools->Options->Advanced->Updates plus the checking option in Help->About Firefox .

Hope that is helpful.

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mtodorov RE: Google Chrome's security fixes through auto-updater setup
Member 1st Mar, 2014 13:31
Score: 12
Posts: 168
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Last edited on 1st Mar, 2014 14:08
Thank you, Anthony. This was informative.

I have spotted transient and stochastic nature of Google Chrome updates as well. As said before, in working hours it is hard to expect 1h10min idle computer time. So I suppose machines will update after 8 PM, and hopefully before automatic stand by timeout which is longer than that which Google Chrome requires.

As I maintain 50+ computers, it is essential to use unattended updates and understand what is going on if they lag behind.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability