Google Chrome and Silent Patching

re: Google Chrome and Silent Patching

Jason — Sat, 15 Aug 2009 06:46:39 GMT

Isn't it what the ClickOnce do?

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:23:50 GMT

@Larry Seltzer: you don't need the source of a program to add code to it, all you need to do is carve out some space in the exe and change the PE entry point, virus writers have been doing this for years. I assume chrome is signed so at least it would be possible to tell, but like I have said, if something was able to replace that exe, it's already too late

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:20:34 GMT

@Larry Seltzer: it depends on the config, but in a corp. env, yes probably. But there are a million ways to inject into other processes, and explorer.exe would be the main target probably. CreateRemoteThread or SetWindowsHooksEx does not care about any policy, only thing that stops it is a process running at higher IL (above medium or low depending on the parent process)

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 17:19:15 GMT

And at this point I think it's worth reminding people that Chrome is an open source program. How hard would it be to write a malicious version of one of the major DLLs or the chrome.exe file that works normally except for added malicious functionality?

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:16:58 GMT

@rhalbh: installing as non admin does not open any doors, yes, evil stuff could overwrite a exe, but the door would already have to be open for that to happen. (by exploit, or someone running a trojan) My point is, they are already in your system and can access all your documents and saved passwords, a trojan chrome is the least of your problems (Live Mesh does exactly the same thing)

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 17:12:55 GMT

@asf: If the malware is running as standard user it can't install a shell extension. But it could modify Chrome in some way, for example, to steal passwords.

re: Google Chrome and Silent Patching

rhalbheer — Tue, 12 May 2009 16:58:26 GMT

@asf: Help me understand your arguments: I do not see the value of Admins? Malware in the case of applications in the user-context today is able to modify the executable from Chrome (as an example) but not from IE as IE is in a directory which is protected.

So, installing in the user-context is defintiely bad practice as it opens a lot of doors.

@M. Schopman: There is no flaw in UAC. You just write to directories you have write access as a user and start the program from there. There is a way to protect from that: Software Restriction Policies which could limit executables to some directories like Windows and Program Files but it is not switched on by default as it would break too much (like Chrome)

@Peter van Dam: I see your point and I have the same probelm. This is because we are taking care of our computers. However, we seem to be a minority. You would not believe how often we sae computers with the update installed but not rebooted (and the reboot today is unfortunately still necessary to fix loaded components). They are still vulnerable then and as a lot of people do not shutdown their PC anymore but put it inot hiberantion or stand-by, this leaves them vulnerable (and giving them a "do not bother me anymore" option is not an option :))

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 15:33:54 GMT

@Larry Seltzer: and the point is? If some malware is running, then its running, why would it need to mess with google chrome? Its better off installing a shell extension and hopefully see a OTS UAC elevation with separate desktops turned off or use some other hole if admin access is what its looking for

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 15:10:00 GMT

asf - if the browser runs completely in the user's context and the user can update it without privilege elevation then so can malicious software. It doesn't have anything to do, strictly speaking, with browsers running as admin, just in a different and protected user context.

Maybe you think it's not a security issue when users run arbitrary exes, but most people think we should at least try.

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 14:31:54 GMT

what the hell is wrong with you people, allowing non-admin installs is a good thing, there is no reason for a browser to have admin rights on a box, EVER

It has nothing to do with malicious software, if the user runs random exe's, thats their problem