Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Chrome and old versions

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Google
And, this specific program:
Google Chrome 11.x

This thread has been marked as locked.
kjmadsen Chrome and old versions
Member 1st May, 2011 18:13
Ranking: 0
Posts: 3
User Since: 1st May, 2011
System Score: N/A
Location: US
Google Chrome appears to have an intentional behavior to keep the last version installed in place when installing the latest with it's updater (the one in Help, About.

I have seen this a few times and noticed it especially from 9-10 and 10-11. Before I did the last I had .204 and .205 in place and PSI showed both in the end-of-life list. After the update, the installer removed .204, so now I have .204 and the latest version of 11.

This was in another thread that was locked and it just said to delete the old version from Application Data. I wonder if that would really be necessary as my guess is that Chrome will keep doing this and Google must be doing this for some reason.

There is even a oldchrome.exe file in the directory.

Perhaps this behavior warrants some direct contact with Google to sort out.

mogs RE: Chrome and old versions
Expert Contributor 1st May, 2011 18:27
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kjmadsen
Glad you mentioned it ! I meant to ask of Anthony Wells on the forum whether he'd noticed that the old Chrome file went of it's own accord.....earlier in the week.....on either the Dev channel version or the Canary build. He too has the same versions.....and sometimes it means going thro' the file removal routine three times in a day.....I'm almost sure one of them didn't need the treatment ! So, it may be a sign of things to come on the Beta and Stable.......I just wanted confirmation to be sure.
I doubt Google are remote from their "browsership" !!

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Chrome and old versions
Expert Contributor 1st May, 2011 19:31
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 1st May, 2011 19:32
Hi Mogs ,

A single , sipmle devious and two birds as I sit and write (quil to .. , you know the scene :)) It has happened occasionally in the past , but not heard of it being planned for the future ?!

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-1
mogs RE: Chrome and old versions
Expert Contributor 1st May, 2011 20:20
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 1st May, 2011 20:28
Brilliant Anthony ! One thing I cannot abide is a cryptic chicken or rabbit !!! The other is a roadrunner on my tail !! So it's keep the eyes skinned and no time for tweets ?!
It's all cold fare in my lunchbox.....everywhere else it's BBQ's and baked beans ?! Gees, I'll never catch up !!!

BTW.....I've got a MS Malicious Software Removal Tool alternating between Actual Installation and Zombie version 1.0.0.0 Any ideas/suggestions for the best course of action ? Appreciated....thanks,

--
Was this reply relevant?
+0
-1
Anthony Wells RE: Chrome and old versions
Expert Contributor 1st May, 2011 20:47
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

YO Mogs ,

Sounds like you have barely enuff to keep body and soul together :((

I guess you should start a new thread ; in the interim , if you mean this , then it usually runs on M$ Patch Tuesday but i got it reoffered by M$ updates a few days ago and it loaded and (re)ran correctly to all intents and purposes : note the date in the link (4/26/2011 sic) :-

http://www.microsoft.com/downloads/en/details.aspx...

Read the "Overview" .

AFAIK , It does not usually "display" anywhere on my XP system , nor in Belarc if memory serves .

The PSI shows me with the M$ Removal Tool Blaster/Nachi version 5.1.2600.5512 loaded in System32 as per :-

http://support.microsoft.com/kb/833330

You know the drill , post a troubleshoot report :))

Anthony





--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-1
Anthony Wells RE: Chrome and old versions
Expert Contributor 1st May, 2011 20:59
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

@kjmadsen ,

Google are on record as deliberately leaving the previous edition behind , probably to avoid a developer losing work with/during a silent update .

As the "old" .dlls are technically not available to the bad guys , they were/are happy to continue this way .

Not sure where you are finding an old .exe file as only one ever seems to work and that is the one in the ..\Google\Chrome\Application\... folder per user . Do you have more than one user version ??

The Canary has it's own .exe in it's folder and may have an old and a new .exe loaded at the same time .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
kjmadsen RE: Chrome and old versions
Member 3rd May, 2011 01:37
Score: 0
Posts: 3
User Since: 1st May 2011
System Score: N/A
Location: US
For reference, I have only used production versions of Chrome on my system.

Here is the directory of where I am seeing the old exe:

04/15/2011 11:07 AM <DIR> 10.0.648.205
05/01/2011 08:48 AM <DIR> 11.0.696.60
04/28/2011 03:15 AM 1,010,232 chrome.exe
05/02/2011 02:16 PM <DIR> Dictionaries
03/25/2011 04:23 PM 0 First Run
04/12/2011 05:51 PM 1,004,088 old_chrome.exe

Hopefully, this clarifies the situation with google updates. I noticed this across major (9-10-11) and minor versions (10...204 to 10...205)
Was this reply relevant?
+0
-0
mrkorb RE: Chrome and old versions
Member 3rd May, 2011 02:41
Score: 1
Posts: 4
User Since: 3rd May 2011
System Score: N/A
Location: US
From what I've observed, running the Chrome install program cleans out the old version that the auto-updater leaves in place, and clears the EoL entry in PSI. Just click Install Solution in PSI and it will do the job for you. Kind of annoying that we have to take the extra step though.
Was this reply relevant?
+0
-0
kjmadsen RE: Chrome and old versions
Member 3rd May, 2011 03:02
Score: 0
Posts: 3
User Since: 1st May 2011
System Score: N/A
Location: US
Last edited on 3rd May, 2011 03:03
My observations are different. If you are within a major version, the EoL will not appear; just the Insecure one. When you just apply a major version, the EoL appears because Google is keeping the last installed version on the system. If you note the directory display in my last post you will see a directory for the (now) current version 11 and the version 10 that I replaced when updating to 11.

I used the browser itself to affect the update, as sometimes the Install Solution doesn't take care of it. Haven't taken careful notes on when it works fine and when it doesn't, but my sense is that Chrome and FireFox don't and things from Adobe do.

Main point of the thread is to show the Google Chrome behavior of keeping the last version on the system, as the dll check is a false positive from PSI.
Was this reply relevant?
+0
-0
Anthony Wells RE: Chrome and old versions
Expert Contributor 3rd May, 2011 13:16
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 3rd May, 2011 13:36
Hi ,

I cannot be specific re Chrome browser Stable versions as I use the Dev and Canary versions ; however AFAIK :-

1) EOL : this is the PSI's way of displaying the old platform when there is a platform change :ie: 10.x to 11.x has just occurred and 10.x versions show as EOl .

2)Manual update : In the past if you run a manual update with a downloaded installer , the older versions of the same platform are all removed and you just have the new one .

3)Auto silent update or update initiated via the "spanner *About* link" : this leaves the previous version behind ; if it is not a security update you will see the old version as a "zombie" file , but a "security" update will likely display the "insecure" version at the top of the scan results page (maybe someone can confirm that) . At platform change , the old platform's "last" version is eventually left behind "permanently" and displays as EOL .

4)Channel change : only one Channel per user for the Stable , Beta and Dev versions so changing channels removes all the other channel versions . Canary is allowed to be installed alongside .

5)Old_exe and older version files : I have only just come across this (old_exe) and since my post above , in my Canary directory I now have no old_exe version as a new_exe version has taken it's place , but I still have two .exe files . Dev still has just the one*** . In the past , any older .exe file versions would/will still only load the latest browser installed ; this is the case for my Canary installation . This would concur with the info from Google that the old version folder and it's .dlls are "technically" disabled ; so leaving the old .exe version behind would follow Google logic as we know it .

6)False positive : the PSI displays whatever it can see , find and get it's hands on ; whether the "insecure" findings are a "real" security risk depends .... ; hence zombie files and EOL platforms , etc .

I am sure some will disagree with me and have different experiences and appreciation of the "facts" and "fiction" .

Hope that helps .

Take care

Anthony

EDIT ***PS : as i first posted in reply to Mogs , my last Dev channel update also removed the older version files (not regular practice) , I do not know if an old_exe file was removed at the same time , maybe , but unlikely looking at the time/date stamps . HAH HAH : as I speak a new Dev channel has just installed its files along with a new_exe file , so the practice of keeping two .exe files in the directory is current for me .





--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability