Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Google Chrome 4

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

This thread has been marked as locked.
metaed Google Chrome 4
Member 9th Dec, 2009 16:09
Ranking: 1
Posts: 110
User Since: 11th Feb, 2009
System Score: 100%
Location: US
The Chrome beta and Chrome dev releases are popular, especially now that Chrome extensions are in beta.

Currently, if you happen to be running one of these, Chrome is completely invisible within Secunia PSI.

This would be a good thing to change. Installed browsers should be listed even if they are beta versions.

--
Sometimes they fool you by walking upright.

Anthony Wells RE: Google Chrome 4
Expert Contributor 9th Dec, 2009 21:00
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A


FileHippo cannot keep up with either Chrome Betas or stable versions and it's only an update checker .

PSI is a security/vulnerability checker and to know quite how they would/could keep up with the Chrome Dev channel - for free - Hmmm. They may have other fish to fry .

Safe Browsing rules suggest a "secure" browser as a minimum ; running with a Beta release - or in the dev channel - in the netherworlds of the web is asking a lot of your entire security system A/V , A/M , PSI etc .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
metaed RE: Google Chrome 4
Member 9th Dec, 2009 22:07
Score: 1
Posts: 110
User Since: 11th Feb 2009
System Score: 100%
Location: US
Last edited on 9th Dec, 2009 22:08
I am suggesting that PSI should report Chrome is installed, whether or not it is the beta or dev release. Otherwise it is failing to notify the user of a potential major security problem that is installed.

PSI was able to keep up with Chrome beta when the only version available was the beta, so I suppose it is still not too hard.

As for how Secunia can manage this easily, I would say Google Chrome development team should be feeding them the signatures.

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome 4
Expert Contributor 9th Dec, 2009 22:34
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

If a Beta or Dev channel browser user needs PSI to tell him he runs a potential risk , then that person should probably stick to stable releases .

If I remember correctly the original Betas were "Google" style Betas and pretty much ready to roll , same for Gears and so relatively easy to check . That whole scene moved on and late 2's or 3's were "real" Betas and stopped being reported ; I really do think it is a question of workload even for release Betas .

Secunia have their standards to maintain and need to identify real vulnerabilities ; I guess that's why their policy is to exclude Betas and eye candy fixes n the first place . It might be more tricksy than being fed signatures.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
metaed RE: Google Chrome 4
Member 9th Dec, 2009 22:59
Score: 1
Posts: 110
User Since: 11th Feb 2009
System Score: 100%
Location: US
It is not just the one user that needs to be told. Consider that a family PC is used by more than one person. It may be maintained by one person, but any user can install any channel of Chrome into their own user profile without special privileges. This leaves the PC with a risky configuration without the maintainer knowing it. Switching a Chrome install to beta or dev channel causes PSI to tell the maintainer that Chrome was removed. This is dangerously misleading.

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Google Chrome 4
Handling Contributor 10th Dec, 2009 13:45
Score: 11799
Posts: 9,040
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Another viewpoint.

I suspect Secunia will remain totally professional & never report on Beta programme versions.

I believe there are numerous reasons for this approach:

1. PSI is a clone of CSI. I cannot think of any Corporate IT Director ever allowing a Beta programme to be installed on a working platform. Beta testing is highly specialised & is normally conducted on a fully loaded clone platform where any bugs,incompatibility issues, insecurities & customisation requirements can be reported back to the vendor without harm to the main work flow. On that basis Corporate Users have no requirement for a vulnerability check.

2. Home users would be wise to follow that example unless experienced in IT matters. To change its current stance to accommodate free users who like to download things "off piste" would be crazy. Beta testing is a contract between the user & vendor with no third party intervention.


3. Good Beta testing of any product should be controlled by the vendor. A typical one is here: http://support.scansoft.com/beta/

Tester selection is carefully controlled whereby they are assured that the individual selected has the knowledge to properly report bugs etc & fix their own platform if things go horribly wrong.

4. There are an equal number of vendors who are less responsible. They dump their Beta programmes (aided and abetted by 3rd party up daters) onto the web but give little or no advice on how to handle them. As I noted on a recent thread there are some that think Beta programmes are TRIAL WARE. Nothing could be further from the truth.
It is doubtful that many also realise or are told by the vendor that:

(a) To install a Beta version on a main flow platform without activating (or checking it is activated) the Kernel Memory Dump is asking for trouble.

(b) There is normally no vendor support therefore it is assumed the user (tester) is capable of digging his own way out of trouble if a Blue Screen of Death or Black Screen of Doom appears or has a method of disabling a feature if it becomes insecure during testing.

5. I am perhaps fortunate in that I have a second "test PC" that is constantly loaded with Beta programmes & "freebies" for testing. It has had so many system crashes over the years that I made a firm decision that no Alpha/Beta/RC programmes would ever be loaded onto my main platform.

Secunia appear to support that stance by refusing to get involved in any testing environment except their own.

Much better would be to advise Novice & Intermediate Users to NEVER install Alpha/Beta/RC programmes unless they enjoy "the thrill of the unexpected". Advanced users can look after themselves without help from Secunia.

Worth checking with Secunia Support if this facility is deemed vital.


12:40 10/12/2009




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome 4
Expert Contributor 10th Dec, 2009 16:43
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Even Google make some attempt to explain some of the basics before you change channels :-

http://www.chromium.org/getting-involved/dev-chann...

The fact that FileHippo seem to offer a huge range of "Betas" some of which are in the Dev Channel and some public release Betas without differentiating and seemingly having lost site of "stable" versions is (for me) a real concern , if it encourages the novice to "experiment" ; the web is dangerous enough as is :((

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
metaed RE: Google Chrome 4
Member 10th Dec, 2009 18:27
Score: 1
Posts: 110
User Since: 11th Feb 2009
System Score: 100%
Location: US
@Maurice You have gotten to the heart of the matter by pointing out that each software developer has its own meaning of "beta". This means Secunia cannot simply rely on the word "beta" to determine whether to issue a report on the application.

And obviously they do not. When Google released the first stable version, 1.0.154.36, PSI began reporting it. And even if you were getting updates from the beta or dev channel, PSI continued to report that the software was present.

This continued through versions 2 and 3. And it made sense, because the browser component of a PC is important to security.

Now that we are getting close to a stable version 4 being released, Secunia PSI is no longer reporting that the software is present if the installed version is from the beta or dev channel and has the "4" major release number.

It is all very well to suggest that the wise user should not run off the beta or dev channel on a "production" system, whether that is at work or at home. But that is not realistic. Remember that Chrome installs into the user's own profile, so even a user without administrator privileges can install it.

I cannot think of a corporate IT director --- or a parent --- who would not want to know that a user had installed the Chrome browser, beta or not. It makes no sense to stop reporting the fact that a browser has been installed. Because this is a critical fact that the person maintaining the system might not otherwise find out about.

How many teenagers do you know? :-)

Of course we cannot expect Secunia to perform vulnerability testing on any beta or dev release of Chrome. (They would be wise to perform vulnerability testing on release candidates, though.) But the presence of the Chrome browser should never go unreported.

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome 4
Expert Contributor 10th Dec, 2009 18:44
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

I you want to know what you and any user is running on your PC , try Gabriel's programme (System Information for Windows) ;-

http://www.gtopala.com/

What people download to your PC is your responsibility ; PSI is not a nanny programme .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
metaed RE: Google Chrome 4
Member 10th Dec, 2009 21:26
Score: 1
Posts: 110
User Since: 11th Feb 2009
System Score: 100%
Location: US
I agree that PSI cannot be expected to report on any executable found on the PC. Its task is to report rev levels and risk levels of known applications. Therefore it should be reporting the rev level of any world-wide release of a major browser, as it had been doing, instead of showing it as not installed.

(Characterizing that as a wish for a "nanny programme" is somewhat scornful. Personal remarks do not add anything constructive to the thread.)

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome 4
Expert Contributor 10th Dec, 2009 21:39
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

I am using the Queen's English ; I often hear "parental control" programmes thus referred ; and PSI still isn't one .

I was speaking generally as I know nothing about you personally .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
metaed RE: Google Chrome 4
Member 10th Dec, 2009 21:43
Score: 1
Posts: 110
User Since: 11th Feb 2009
System Score: 100%
Location: US
Please convey my best wishes of the season to Her Majesty.

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Anthony Wells RE: Google Chrome 4
Expert Contributor 30th Dec, 2009 17:32
Score: 2445
Posts: 3,337
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello metaed ,

HM's initial response was "cheeky blighter , off with his head" so take care on your next visit !!

She did point out that while Chrome Beta versions themselves are not picked up by PSI , it does seem to record all the "Google Gears 0.x" locations :ie: stable and/or beta versions on her (and my) PC .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer