Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Google Chrome

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
ottchris-primary Google Chrome
Member 10th Jun, 2009 16:46
Ranking: 5
Posts: 25
User Since: 19th Apr, 2008
System Score: 100%
Location: UK
[Secunia PSI Version 1.0.0.6 Beta]

There are earlier Beta threads concerning Google Chrome but appear to be mistaken in reporting problem as fixed.

The root cause of the problem would appear to be the way Google Chrome updates are maintained. For example, I ran an update today which updated Chrome from 2.0.172.30 to 2.0.172.31. The Chrome executable sits in a parent directory with dll's in a subdirectory whose name is the version number e.g. 2.0.172.30. Most of the time but not always, the update process retains one previous version intact. So this time round post update we are left with two subdirectories, 2.0.172.30 and 2.0.172.31. It would appear that the update process modifies the executable to by some mechanism (registry?)load the new dlls i.e. the exectable itself does not appear to have been modified.

Now, PSI lists the dll, not the executable as the secure/insecure module i.e. before the update it just listed the 2.0.172.30 module as insecure. Post update, a rescan of the insecure module merely confirms the module as insecure although when Chrome is run it picks up the new secure modules. Following a rescan of the entire system, PSI now reports two instances of Chrome even though there is only one executable, i.e. it lists the 2.0.172.30 dll as insecure and the 2.0.172.31 dll as secure. In the secure browsing tab it also has two instances of Chrome.

Previously, the same 'retain the previous dll subdirectory' system was in operation when Chrome went from version 1 to version 2. I think the version 1 dll subdirectory was removed in the last update before this so for a short time, and before the recent update, only the 2.0.172.30 subdirectory existed. This may be why it was mistakenly thought the problem had been resolved.

Apologies for the long-winded explanation; just trying to ensure the way Chrome appears to be being updated is fully understood.

Regards to All,

Chris

--
OS: Windows XP Pro SP3

Anthony Wells RE: Google Chrome
Expert Contributor 10th Jun, 2009 17:32
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Jun, 2009 17:36
I think you have summed things up extremely well , especialy for a non techie like me.
In my case I seem to have resolved the problem by loading the version installer I want and running it and updating with it - nothing seems to happen , but it does it very quickly , & then when you check the browser or files it's updated and for me "seems" to leave just the new folder - in my case v2.0.181.1 - and the new .dlls. The old .exe seems unchanged , as you said. Or maybe it's all beginners luck and v3 will trap us again.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
BigDave_39 RE: Google Chrome
Member 10th Jun, 2009 21:21
Score: 0
Posts: 177
User Since: 26th Nov 2008
System Score: N/A
Location: Washington, DC, US
Great information mate. Well written and to the point.

I wonder why Google have chosen til approach? One would think it should be able to clean it up...

Looking at chrome.exe (right-clicking) it, the version information is "0.0.0.0", that must be why the PSI is not detecting chrome on this file..

--
Big Dave
Was this reply relevant?
+0
-0
graham_346 RE: Google Chrome
Member 12th Jun, 2009 20:03
Score: 0
Posts: 3
User Since: 19th Jan 2008
System Score: N/A
Location: N/A
Thank you for the explaination. However, Even though I have adminstrator rights, I could not remove the old version (access denied!) from within the Secunia window. I am running Vista Home Pre 64b version (SP2 updated).

Maybe I'll set and ignore rule until it goes away on its own (with Chrome v3????).
Was this reply relevant?
+0
-0
mgrudem RE: Google Chrome
Member 13th Jun, 2009 19:04
Score: 0
Posts: 2
User Since: 2nd Jun 2009
System Score: N/A
Location: N/A
Thanks for the explanation! Simple solution is simply going in and removing the old directory. Beware, you must completely remove the old directory from your system (empty your recycle bin or Shift+Delete) because PSI will still consider your system unpatched.

MG
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome
Expert Contributor 13th Jun, 2009 19:29
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Jun, 2009 19:32
I followed & commented on Chrome when PSI v1.0.0.5 started .
At first only Google Gears was picked up as the Chrome 2 I had loaded is/was a Beta. Psi then showed V2 as a Browser and then my actual version in the main scan as patched. This all happened quite quickly .
As the .exe file is not numbered for any Chrome version , I'm guessing that PSI could only use the .dll files and , Beta or not , it makes no difference. This also relates to .dll's in the recent Adobe 9 problems.
So we get some benefit : ie : Betas show up ; and so we need to know how to housekeep the older folders until PSI and/or Chrome change the rules ( you know thy will!)
My use of the setup .exe , rather than the Browser update link , for new versions "seems" to work for me at the moment.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
English Teacher RE: Google Chrome
Member 20th Jun, 2009 15:24
Score: 2
Posts: 40
User Since: 27th Dec 2008
System Score: 95%
Location: IT
Last edited on 20th Jun, 2009 15:28
I have the latest stable version of Secunia PSI v1.0.0.4 However despite even Google Chrome saying it's updated, PSI says it's not and that the version of Chrome is 2.0.172.30. Chrome was updated nearly two weeks ago.

I have used Chrome many times but the old folder for version 2.0.172.30 is still there, even if somebody has said that after a few start ups of Chrome it will be deleted.

Is it OK to delete this folder myself or must I wait for Chrome to do it?
C:\\\\Google\Chrome\Application\2.0.172.30

Thanks

--
Never argue with Stupid People. They just drag you down to their level and beat you with Experience.

Better to remain silent and be thought a fool, than to speak and remove all doubt.


Was this reply relevant?
+0
-0
mgrudem RE: Google Chrome
Member 20th Jun, 2009 20:19
Score: 0
Posts: 2
User Since: 2nd Jun 2009
System Score: N/A
Location: N/A
on 20th Jun, 2009 15:24, English Teacher wrote:
I have the latest stable version of Secunia PSI v1.0.0.4 However despite even Google Chrome saying it's updated, PSI says it's not and that the version of Chrome is 2.0.172.30. Chrome was updated nearly two weeks ago.

I have used Chrome many times but the old folder for version 2.0.172.30 is still there, even if somebody has said that after a few start ups of Chrome it will be deleted.

Is it OK to delete this folder myself or must I wait for Chrome to do it?
C:\\\\Google\Chrome\Application\2.0.172.30

Thanks


Yes, you may clean up the older directory yourself. I cleaned mine up over a week ago and haven't experienced any issues.

Permenently delete the old directory however, Secunia will find it in your recycle bin or if you rename it.

Mike, MCTS
Was this reply relevant?
+0
-0
PanthersClaws4 RE: Google Chrome
Member 4th Jul, 2009 18:33
Score: 0
Posts: 1
User Since: 3rd Jul 2009
System Score: N/A
Location: N/A
ok i must be thick since i don't really get what u said or what is happening --- the bottom line is i how do i fix the issue? do i just leave it alone and have that keep popping up as an issue in secunia or is there a simple easy way to rectify the problem? and will this continue to happen with each new update of the program? thanks
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome
Expert Contributor 6th Jul, 2009 21:49
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
You could reread the thread where everything that might help in getting rid of the file is in the first post (more or less):that is: look for the old version folder in the main Chrome folder. If you are still not sure about dealing with proramme files or wherever Chrome is loaded , ask a friend to help/teach you .

You could write/create an ignore rule using the "toolbox" link (in advanced mode) and/or just leave it ; I can't say , but that could cause/be a security problem.

Depending on how you next update , the problem may well reappear !:((

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
darkangel RE: Google Chrome
Member 22nd Jul, 2009 12:49
Score: 0
Posts: 6
User Since: 29th Jan 2008
System Score: N/A
Location: N/A
Well, I tried ... http://code.google.com/p/chromium/issues/detail?id...

:-(

_da. (glen.84)
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome
Expert Contributor 22nd Jul, 2009 22:09
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 22nd Jul, 2009 22:10
Hello _da aka glen.84 ,

It does show up that what the Chrome guys see as "no problem" , Secunia sees the same thing & says "is this a problem ?"
Do we expect Secunia to give us the answer by their assessment with or without the Chrome input ; do Secunia know it's a problem or do we ,or rather you in this case , act as the go between . Chrome seem quite clear , but has anyone had direct contact with the PSI guys .
Adobe Reader 9.0 update appeared to have similar problems ; at least PSI recognises Chrome Betas this way FWIW )
Thank you for your efforts

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
darkangel RE: Google Chrome
Member 22nd Jul, 2009 22:14
Score: 0
Posts: 6
User Since: 29th Jan 2008
System Score: N/A
Location: N/A
Hi Anthony,

I e-mailed Secunia a short while ago regarding this matter.

_da.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability