navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Google Chrome 5.x

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
geeknerd Google Chrome 5.x
Member 10th Jul, 2010 16:46
Ranking: 0
Posts: 3
User Since: 7th Nov, 2009
System Score: N/A
Location: US
Secunia PSI v1.5.0.2 constantly reports Google Chrome 5.x as a Category 4 security threat, yet Google Chrome says that I have the latest version.

How has Secunia determined that Google Chrome is a security threat? When Secunia discovers a security threat in software whose manufacturer has not yet fixed, how should it report that to us? Is Secunia in contact with Google to inform them of the security risk Secunia has found in Google Chrome?

Perhaps Secunia should only report security risks AFTER a fix has been provided? I used to fix every security risk Secunia PSI reports; now I only look at the Google Chrome issue once a week or so. In effect, PSI is training me to IGNORE its security warnings.

thedillpickl RE: Google Chrome 5.x
Contributor 10th Jul, 2010 18:41
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 10th Jul, 2010 18:48
Hi geeknerd;

As you are aware, Google Chrome's current version is 5.0.375.99 . If you have removed the folders (Chrome doesn't remove them) with the older versions of Chrome, it (Chrome) should be listed in the "Patched" tab of PSI and not the "Insecure" tab. The pretty colored bar that you see to the right of Chrome (hover over to show type of threat) is what the threat would be if you had not updated to the current version. This is to let the user know that they are doing a good job by keeping their software updated. To view Secunia's explanation of this, hover over the "[?]" to the right of "Patched Threat" at the top of that column.

To answer your questions:

> (Security threats, in general) Often a security threat is passed on to Secunia by the vendor or manufacturer of the software themselves, other times it is reported by known, reliable sources. Occasionally, Secunia will discover a problem.

> If you would look in the "Secure Browsing" tab, the current version of Chrome shows no vulnerability, this can change at any time. As regarding your question, the current version of Internet Explorer 8 is showing a category 2 threat and is "insecure, no solution". The "no solution" part means that Microsoft has not provided an update to fix the problem. "Secure Browsing" is where you should look to see how vulnerable your browsers are before you do any surfing. I would want to know if my browser is unsafe and what the risk is before I do my online banking or use a credit card! "Insecure" & "End of Life" tabs will also disclose security problems that need your attention.

> Yes, Secunia has good communication with Google and other software manufactures. They even visit this forum, occasionally, to ask questions directly of the person having a problem or to get a solution out quickly. This is unusual in public forums and speaks highly of the work that Secunia has done in the field of security, both for the individual and the corporate customers.

> Secunia report when a fix is available. I would much rather know a threat exists, that is not fixable at that time, than to be oblivious to it and pay the cost of that by having my equipment harmed, or worse, my personal info stolen.

Many sports, hobbies and jobs require safety equipment to keep you from harm in the event of an accident. This is the same thing. If you disregard updates nothing may happen or something horrible may happen. Roll the dice and take your chances.

If this sounds like an advertisement for Secunia, it is. I've been a user of PSI for just over a year. I am confident my computer is more secure because of it. Previously I had to track all this myself, on two computers, that took time. Also, the chance was greater that I'd miss something. So thank you Secunia for making my life easier.


Regards;

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+7
-0
geeknerd RE: Google Chrome 5.x
Member 10th Jul, 2010 19:15
Score: 0
Posts: 3
User Since: 7th Nov 2009
System Score: N/A
Location: US
And how do I get the Patched tab? The only tabs I see are "Secure your PC", "Secunia Profile", and "Forum". The warning I get when I select Interface Mode Advanced is off-putting.
Was this reply relevant?
+0
-0
ddmarshall RE: Google Chrome 5.x
Dedicated Contributor 10th Jul, 2010 19:45
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 10th Jul, 2010 20:03
You have to be in advanced mode to see those tabs. As you are a geek and a nerd, I don't think you will find anything there to worry you.

The next release of Secunia PSI will categorise these 'left-over' files and may prevent you getting notifications every time Chrome is updated. You can read about it and try it out here:
http://secunia.com/community/forum/thread/show/444...

Secunia only advises about security threats that have been published. It is usually thought to be good practice that vulnerabilities are not publicised until the software manufacturer has issued a patch for it. Knowledge of vulnerabilties also arises when they have been discovered by malware writers and are being exploited. In that case the software manufacturer will often issue a Security Advisory to warn the public while they develop a patch. When this process is not followed you get the situation that is happenning now, where a Google researcher published details of a vulnerability in Windows XP because, apparently, he did not think Microsoft were reacting quickly enough. This has led to it being exploited by malware writers up to the release of the patch scheduled for 13th July.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+4
-0
thedillpickl RE: Google Chrome 5.x
Contributor 10th Jul, 2010 22:52
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Thanks ddmarshall for expanding on the 'time to report' vulnerabilities. It is better not to leak sensitive issues such as these until a fix is available or the cat's out of the bag. Once the 'hole' is being exploited, I want to know about it! In the case of IE8, that I mentioned above, MS possibly doesn't consider it a serious threat and will fix it in the next major update.

I apologize to geeknerd, I had assumed you were in "Advanced" mode.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+3
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+