Forum Thread: PSI reports Google Chrome 6.x not secure for browsing

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:

This thread has been marked as locked.
tmalomas PSI reports Google Chrome 6.x not secure for browsing
Member 19th Sep, 2010 13:01
Ranking: 5
Posts: 8
User Since: 30th Apr, 2009
System Score: N/A
Location: N/A
The Secure Browsing tab in PSI gives misleading information. It suggests that Google Chrome has two critical attack vectors. Further examination shows that one of these refers to a previous version of Google Chrome, not the version currently installed.

If Secunia's rationale for reporting this is that the Chrome installer doesn't completely remove earlier versions then PSI should report two versions of Chrome, each with one attack vector, not one version with two attack vectors.

The relevant folders are:
C:\Users\<username>\AppData\Local\Google\Chrome\Ap plication\6.0.472.59\chrome.dll C:\Users\<username>\AppData\Local\Google\Chrome\Ap plication\6.0.472.62\chrome.dll

TiMow RE: PSI reports Google Chrome 6.x not secure for browsing
Dedicated Contributor 19th Sep, 2010 14:49
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 19th Sep, 2010 14:56
Two points:

Firstly, it is a (well) known fault with Chrome updates, that the previous version is not removed with the installation of the update. This is a failing with Google and not Secunia - PSI can only report on what it finds. The old version always needs to be manually deleted from it's file location (insecure or not). This is always the case.

The information shouldn't be misleading - when 2 files are present with same insecurity, then you have that insecurity 2 times (once for each file), until the old file is removed.

Secondly, as the latest Chrome update (6.0.472.62), only became available this weekend, and reportedly addresses the problem of the bundled flash insecurity, it is unlikely that Secunia have amended their rules to reflect this, as they don't actively work during weekends.

Maybe tomorrow (Mon.) this will be reviewed.


Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?

This thread has been marked as locked.