Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: How to fix Psi report of chrome insecure

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Google
And, this specific program:
Google Chrome 5.x

This thread has been marked as locked.
gordon55y How to fix Psi report of chrome insecure
Member 23rd Jul, 2010 04:56
Ranking: 0
Posts: 1
User Since: 23rd Jul, 2010
System Score: N/A
Location: US
I have done some investigation, and I thought I would document my experience.
The google chrome browser has a nasty habit of keeping the previous version
of chrome on your machine when you upgrade to the latest chrome.
You can see the versions at:
C:/users/<user>/AppData/local/google/chrome/applic ation/versionN
C:/users/<user>/AppData/local/google/chrome/applic ation/versionN+1

The chrome.exe is at:
C:/users/<user>/AppData/local/google/chrome/applic ation/chrome.exe

The chrome.exe is somehow smart enough to select the most recent .dll
from the versionN+1 folder. So, in theory the versionN/chrome.dll would never run.
However, Psi detects the versionN/chrome.dll and says it is insecure.
I would argue that the chrome install should remove versionN when installing
versionN+1. That has been debated at google chrome:
http://code.google.com/p/chromium/issues/detail?id...

Some have suggested to simply delete the versionN folder manually.
That seems clumsy to me.
I have discovered that if you simply install versionN+1 again (twice),
the second install will remove the versionN folder.
And that fixes the Psi report of insecure chrome.
By the way, you cannot install chrome twice from chrome, you need to
do it from another browser. I used FF.

Thanks for Psi. I never would have found some of this stuff on my own.
gordon55y

Anthony Wells RE: How to fix Psi report of chrome insecure
Expert Contributor 23rd Jul, 2010 10:40
Score: 2445
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 23rd Jul, 2010 10:51
@Gordon55y ,

When the Google Chrome stable version updates (silently or by your manual choice) , the PSI (in "advanced" mode) will display either N and N+1 as both showing in the "patched" tab or an insecure/vulnerable N will move and show in the "insecure" tab .

The PSI only picks up a Dev channel or Beta version of Chrome as Google Gears 0.x , always in the "patched" tab unless gears itself has been updated (very infrequently) , but each still located in either the N or N+1 folder .

If you click the [+] at the left end of any of the displayed programmes , it/the page will expand , lower down in the "Toolbox" section is an "open folder" icon , click on this and you are taken to the N or N+1 version numbered "sub folder(s)" (using Explorer on my XP SP3) , highlight the one you wish to remove , right click and delete .

I have not found this clumsy , perhaps not elegant , and much quicker than the option of a reinstall/overinstall .

Chacun à ses défauts :))

Take care
Anthony

PS: have always guessed that the older version was/is left behind so that the interested/developers could easily compare the updates ; not really a problem until there is a security update . While/if the .exe can pick/see between two .dll's , then so can a "bad guy" - nothing is 100% , sure except death and taxes - so I always kill the "vulnerable" versions .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+5
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability