navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Google Chrome a CAD 5 Security threat??

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Google
And, this specific program:
Google Chrome 7.x

This thread has been marked as locked.
TC Tyler Google Chrome a CAD 5 Security threat??
Member 29th Oct, 2010 19:27
Ranking: 0
Posts: 13
User Since: 23rd May, 2010
System Score: N/A
Location: N/A
I thought Google Chrome was all good? Secunia is now saying CAD 5 Security threat? Should I be worried? Is anyone else having the same problem? Also, Adobe Reader is a CAD 5 as well. I uninstalled that prog.

TC

TiMow RE: Google Chrome a CAD 5 Security threat??
Dedicated Contributor 29th Oct, 2010 19:58
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 29th Oct, 2010 20:02
Secure Browsing is alerting that Chrome 7.x is Insecure, no solution (therefore is still listed in Patched and not Insecure tab). SA42031 applies - and you're right this is new (issued 28 Oct).

However, this is only part of it, as all my browser boxes are red due to Flash also being Insecure, no solution (SA41917).

Regarding Chrome, if you have an alternative browser, consider using that for the time being (Firefox, then IE, for me, security wise), and run Chrome update checker (from About...), every day - Google are normally pretty good in times like these - but if they issue a patch over the w/e, don't expect Secunia to pick it up 'til Mon.

TiMow

EDIT: The Chrome insecurity is linked with Flash because it now has an embedded flash player, so probably won't be patched until Adobe patch Flash.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+3
-0
Anthony Wells RE: Google Chrome a CAD 5 Security threat??
Expert Contributor 29th Oct, 2010 22:46
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 29th Oct, 2010 22:49
Hello ,

As the SA 42031 CAT 5 vulnerability for Google Chrome relates to the embedded Flash and is the same as for the vulnerabilities of the ActiveX and NPAPI Flash plug-ins as per SA41917 ; then all browsers all likely to be equally exposed/vulnerable .

Some might argue that the way Chrome sandboxes it's tabs adds extra security , but that is a different matter ; as it stands , safe browsing rules with the browser you know best are extra important with Flash being at CAT5 !!

As SA41917 puts it :-

NOTE: The vulnerability is currently being actively exploited.


Take care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
SBSATS RE: Google Chrome a CAD 5 Security threat??
Member 3rd Nov, 2010 07:32
Score: 0
Posts: 4
User Since: 27th Nov 2009
System Score: N/A
Location: N/A
Would uninstalling Chrome and Adobe (all the listed Cat 5's), and using Firefox instead.... take care of the threat?
Was this reply relevant?
+0
-0
TiMow RE: Google Chrome a CAD 5 Security threat??
Dedicated Contributor 3rd Nov, 2010 08:08
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
The problem is that all browsers (including Ff.) that use the Adobe Flash plug-in are effected, until a patch is issued. See Secure Browsing tab (PSI 1.5.0.2, Advanced mode) and click on the blue SA number on r.h.s. of insecure listing, for details of this insecurity.

You can use a browser in a sandbox for added security - (I believe Chrome already sandboxes it's tabs - so it is still be OK to use, compared to others). But whichever you use, it is more important than ever to use safe browsing practices.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
TiMow RE: Google Chrome a CAD 5 Security threat??
Dedicated Contributor 3rd Nov, 2010 13:24
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 3rd Nov, 2010 14:06
@SBSATS
Apologies - I inadvertently found myself short on time when I made the above reply. Only later, sat in the dentist's chair, trying to divert my thoughts, did I realise I hadn't fully addressed your question.

Obviously, if you uninstall any program flagged as "insecure, no solution",then that program is no longer vulnerable on your PC, as it's not there.

The question is, though, do you want or need to do this? Which is why I included the details in my above reply.

The following is cut from the Secunia Advisory (SA41917):
"The vulnerability is confirmed in version 10.1.85.3 running on a fully patched Windows XP Professional SP3. Other versions may also be affected."
And solution given as:
"Adobe plans to release a fixed version on November 9, 2010."

And the following from Chrome advisory (SA42031):
"The vulnerability is caused due to a vulnerability in the bundled version of Adobe Flash Player."

I personally believe full uninstallation of one or both is a bit drastic. In both Chrome and Firefox, flash can be disabled without uninstalling**.

You can then see how what you view from the web is effected. The double-wammy is, that Chrome still has the embedded flash, but sandboxes it's open tabs. You have to decide which is the lesser of the evils for you, dependent on what you need to browse.

If unfamiliar with sandboxing you can see further details here:

http://google-chrome-browser.com/new-approach-brow...
or
http://www.chromium.org/developers/design-document...
and
http://www.sandboxie.com/

**to disable flash:
Firefox: Tools>Add-ons>Plug-ins icon>scroll to Shockwave Flash 10.1.85.3>highlight>disable;
Chrome: Spanner/wrench>Options>Under the bonnet tab>Content settings>Plug-ins (l.h.s.)>Disable individual plug-ins (centre in blue)>scroll to flash>disable.

TiMow

EDIT: Disabling flash in Chrome, disables both the plug-in and the embedded - just tried it.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-0
SBSATS RE: Google Chrome a CAD 5 Security threat??
Member 4th Nov, 2010 11:27
Score: 0
Posts: 4
User Since: 27th Nov 2009
System Score: N/A
Location: N/A
Thank you vary much for your thoughts and efforts on my behalf. I play games on Facebook and feel secure there, but I have my other info on my PC and surely want to protect that. I have uninstalled all of the Cat 5's as I can wait until the new updates are released. I did find your info hints on sandbagging interesting and informative. And I think I have learned a little more thanks to your efforts. thank you vary much.
Was this reply relevant?
+0
-0
mogs RE: Google Chrome a CAD 5 Security threat??
Expert Contributor 4th Nov, 2010 11:47
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Flash is due to be patched today apparently.
See CClip 16 of yesterday.
http://secunia.com/community/forum/thread/show/620...

--
Was this reply relevant?
+1
-0

deara2

RE: Google Chrome a CAD 5 Security threat??
[+]
This reply has been minimised due to a negative Relevancy Score.

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+