Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Misleading quick facts?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Google
And, this specific program:
Google Chrome 11.x

This thread has been marked as locked.
donwms1803 Misleading quick facts?
Member 5th May, 2011 04:20
Ranking: 0
Posts: 5
User Since: 31st Dec, 2010
System Score: N/A
Location: US
PSI displays the following quick facts:
================================================== =======
This program was detected as Insecure, it is strongly recommended that you apply the latest security patch from the vendor of the program.

The version detected of Google Chrome 11.x was 11.0.696.60 while the latest version including one or more security fixes is 11.0.696.57.
================================================== =======

The wording implies that version 11.0.696.60 is known to be insucure and the latest version with security fixes is more secure.

To my understanding version 11.0.696.60 is a bug fix version and does not contain any additional security fixes. I would assume that security fixes in version 11.0.696.57 are included in version 11.0.696.60 which implies that version 11.0.696.60 should be just as secure as version 11.0.696.57. Therefore unless new security problems are discovered in version 11.0.696.60, I would expect PSI to treat version 11.0.696.60 the same as version 11.0.696.57.

Thanks

mogs

RE: Misleading quick facts?
[+]
This reply has been minimised due to a negative Relevancy Score.
This user no longer exists RE: Misleading quick facts?
Member 5th May, 2011 08:48
Hi,

Try to run a full rescan, and the problem should be resolved.

Has this resolved the issue?
Was this reply relevant?
+0
-0
mogs RE: Misleading quick facts?
Expert Contributor 5th May, 2011 08:58
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Can anybody tell me why my post was deemed irrelevant....given that it also contains the following sentence :=

Have you carried out a full psi scan and/or reboot before reporting ?

It seems to me that there is far too much of this kind of behaviour on the forum.....voting is becoming oft more about likes/dislikes than relevance.


--
Was this reply relevant?
+1
-2
Leendert Kip Misleading quick facts?
Member 5th May, 2011 09:27
Score: 65
Posts: 521
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
on 5th May, 2011 08:58, mogs wrote:
It seems to me that there is far too much of this kind of behaviour on the forum.....voting is becoming oft more about likes/dislikes than relevance.

You are right Mogs, I don't see anything your post isn't relevant. I made a correction for you.

--
PC: JJ Computer Services
Intel Core I3 2100 3.1Ghz
DDR3 Kingston ValueRam 4GB 1333
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 9
Mozilla Firefox 31NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 11
Mozilla Firefox 31NL
Was this reply relevant?
+1
-2
mogs RE: Misleading quick facts?
Expert Contributor 5th May, 2011 10:34
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Morning Leendert....thank you for your comment/corrective action.
Unfortunately, I don't think everybody understands the relevancy of the scoring system itself.
Taken from forum "About" :-
Replies - relevancy score
Users can vote on replies with a positive or negative value, marking them as either relevant or irrelevant. An irrelevant post would be hidden/minimised by default, with the ability to display it at a click of a button. The votes that replies receive, will count towards the user's total vote score (Ranking), which in turn determines the user's title.

Obviously, to help anybody, sometimes questions need to be asked and answers given that a user may take umbrage to....tho' the content may still be relevant....a grey area if that too becomes a matter of opinion.
The scoring itself, whilst may give an indication of popularity....in relation to specific threads/posts....can help in the learning process. What perturbs me is that when the system is abused, the overall indication becomes false.
I've even had cases recently where I've scored "newbies" up, for having addressed their problem...and to give some start/encouragement... and some bright spark has gone along and nullified them !! We should be encouraging more by way of defence in attitude..free mannerly dicussion.....than pointed "attacks" with no reason given.


--
Was this reply relevant?
+2
-3
Anthony Wells RE: Misleading quick facts?
Expert Contributor 5th May, 2011 13:27
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Mogs ,

Whilst you wait for the OP to let you and Emil know if a "full" scan has rectified the Chrome problem , then , since last weekend especially , when there was plenty of "angst" over the same subject , I noticed that we both came in for plenty of negative votes ; of course no big deal , with your elevated status , but people can be (extremely) obnoxious on the web , especially under the cover of anonymity !! One can only help those who wish to be helped and scoring is of no consequence 99.99% of the time .

Personally , I could care less about the voting and any related small mindedness ; just ignore it or laugh it off ; more important things happening in the real world which need our attention .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+4
-0
donwms1803 RE: Misleading quick facts?
Member 5th May, 2011 16:05
Score: 0
Posts: 5
User Since: 31st Dec 2010
System Score: N/A
Location: US
Last edited on 5th May, 2011 16:05
Sorry, the point of my initial post was not well stated. I only intended Google Chrome to be an anitdotal example. PSI only recognizes a program's latest patch level with security patches as the level you should be running. In general, a program's newer level will include all previous security patches from all previous levels. It should be fairly rare that a prior security fix would be back leveled in the newer level. Therefore it is a reasonable to assume that security fixed are carried forward unless it can be shown otherwise.

Of course, PSI has to understand the vendor's patch level numbering convention for each program in order to sort them into time sequence. Of course, when a new version is created from "scratch" or for a different source level, security fixes can be lost or new exposures created, but most vendors change the version number and reset the patch number.
Was this reply relevant?
+0
-0
Anthony Wells RE: Misleading quick facts?
Expert Contributor 5th May, 2011 16:59
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi again ,

Your post is looking at the Chrome problem which was done to death last weekend , some members tried to explain that it was a simple bug and that both versions were actually secure !! Not appreciated as such by everyone !! At least ...60 should now be showing as "secure" after a full scan .

For further explanation try this thread and "I" would refer you to my response of 1st May 2011 at 19.19 ; you will need to click the [+] to the rhs of it's entry to reveal it , as there was/is some contentious voting based on personality rather than relevance :-

http://secunia.com/community/forum/thread/show/854...

Is ..60 now showing as secure for you ?? What do the quick facts say (I don't have the Stable version to refer to ; do the facts need updating ??

Hope that helps .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0

mogs

RE: Misleading quick facts?
[+]
This reply has been minimised due to a negative Relevancy Score.
donwms1803 RE: Misleading quick facts?
Member 5th May, 2011 23:11
Score: 0
Posts: 5
User Since: 31st Dec 2010
System Score: N/A
Location: US
Hi Anthony,

Yes, the Google Chrome now shows as patched.

I have previously seen (but did not post anything at the time) similar situations for other programs. PSI said that they were insecure and that I needed to go to the vendor's ste and update to the currrent level. However, the vendor's current level was newer than the level PSI was recommending. Of course, I can ignore PSI's recommendation since I expect that the newer version includes the security fixes from the level that PSI is recommending. However, I believe that too many false negatives will cause many PSI users to start routinely ignoring the warnings.

At this point, the only way I know how to post to the forum, is via a specific program. Since my comments are really intended to apply to the way PSI handles all programs. How should I post that type of comment?

Thanks, Don Williams
Was this reply relevant?
+0
-0
Anthony Wells RE: Misleading quick facts?
Expert Contributor 9th May, 2011 16:45
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Don ,

You are not forgotten but I am busy elsewhere just now .

You can create your own thread and post it to any Forum of your choice , if you select "Create thread" in the lhs column of this page and pick your Forum from the "Select Forum" drop down menu which appears . Do not use the "Vulnerabilities" Forum ; in this case you could have chosen "Open Discussions" or perhaps "PSI" rather than the "Programs" option you chose . The title to your thread is well chosen as is , so no big deal .

When there is not a bug such as this fixed Chrome "bug" in the display , then the PSI will display any program which is prior to the "latest patched" - in Secunia terms "up to date" - version as "insecure" or "EOL" or perhaps as a "zombie" installation ; any version which is the same as or is later than the "latest patched" version will show as "secure" . If there is a "later bug/eye candy fix version" , the PSI will also show that to you as "secure/up to date" ; however any download link to the "latest" version from the PSI will be to the "latest patched" version and in that case , if you used it though there is no reason to use it , you would be rolled back to an earlier but still patched version . This is because the PSI follows it's/Secunia's own solution as posted in the Secunia Advisory . I explained this in the post in the thread I linked you to ; here is a copy :-

QUOTE me :)) Secunia support always seem to have problems with the PSI detection rules when there is a Stable Platform change :ie: 10.x to 11.x and/or the Stable and Beta versions overlap . Support do not work on the PSI always full time and definitely not the weekend . Thios problem became apparent on Thursday/Friday - not "several days ago " .

So no instant gratification ; nothing will happen to fix the "bug" before Monday at the earliest . Versions ..57 and ..60 are both secure , earlier ones should be deleted , to be sure , to be sure .

Re Semantics , this subject is also neraly done to death ; security updates are published by Secunia in their Advisories and specify/give you the version to update to in order to patch a vulnerability . They are provided for the Security community , their commercial CSI clients and by free serendipitous chance to personal users of the (free) PSI . The latter is a vulnerability/update patch checker aligned with the relevant SA's and definitely not a general update checker ; neither the SA's nor the PSI monitor , follow or give twopence about "updates" of the bug or eye candy fix nature . Same goes for Alphas , Betas , RC's etc .

By the same token , there are no insecure versions of the PSI ; although Secunia do normally advise major changes here on the Forum and by personal email.UNQUOTE .


If you can specify where you think there is confusion and suggest a better wording in general or concerning a specific program please post back . Is the "Quick Facts" entry for Chrome 11.x still incorrect/confusing since the bug was fixed ??

Any contribution will always be considered by Support :))

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability