Google Chrome and Silent Patching

re: Google Chrome and Silent Patching

Blake Handler — Mon, 11 May 2009 07:20:22 GMT

Unfortunately Roger, Microsoft is held to different, and more stringent standard than the rest of the tech World.

Google, Apple, Adobe & Sun can all install "additional" software that have nothing to do with the software package think you're installing. (i.e. toolbars, Bonjour, Safari & Chrome). These companies do not have to address security breaches in a timely fashion, nor even engage in an open dialogue with their customers. Google & Yahoo are selected as default selections on Apple products, but Microsoft must also have their competition's software available as defaults.

I prefer supporting a company with "higher" standards like Microsoft. Even when you're "wrong" you're "transparent" about it!

Blake Handler -Microsoft MVP

"The Road to Know Where"

re: Google Chrome and Silent Patching

Larry Seltzer — Mon, 11 May 2009 13:38:19 GMT

Let's talk a little more about installing executables in the user context. Presumably this is a bad idea because malicious software run in the user context also has permission to write there?

re: Google Chrome and Silent Patching

Hans Remmerswaal — Mon, 11 May 2009 16:06:18 GMT

An interesting discusion point, although I don't think that automatic updating an operating system (which you have to buy) can be compared with the automatic updating of a browser (which is for free)...

re: Google Chrome and Silent Patching

Larry Seltzer — Mon, 11 May 2009 16:52:28 GMT

You don't have to buy any operating system, and why would that make a difference anyway?

re: Google Chrome and Silent Patching

rhalbh — Mon, 11 May 2009 17:00:05 GMT

I do not see the difference either. It is more about silently installing stuff - for free or not for free does not matter at al (and by the way, if you have any Windows, all the versions of IE are available to you for free as well - does this mean silently updating IE would be fine for you?)

Roger

re: Google Chrome and Silent Patching

Emmanuel Mesas — Mon, 11 May 2009 20:00:53 GMT

To contribute to the post - here is another view of the industry (competition) about Microsoft pushing updates via Windows Update - not even being automatic !!

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132732&intsrc=news_ts_head

Google is not one of the claimers, but we knoe why ...

re: Google Chrome and Silent Patching

Peter van Dam — Tue, 12 May 2009 08:45:52 GMT

I always loved the automatic updating in Google Chrome and personally I would have loved the same experience in Windows.

Not looking to those shouting people I think Google showed that automatic updating doesn't have to be as annoying as updating Windows.

In Windows 7 you get a balloon tip (something that I guess was already promised to be not there, but in the action center) telling updates will be installed later today, and that the pc might need to be reinstalled.

The first notice...

So I noticed it this morning, and I want to be secure, so I visit Windows Update to update my machine. I see security updates, I see optional updates, but to install them both, I need to perform loads of steps. (open optional updates, check them. Press ok, then click install)... However, it installs pretty quick, nothing wrong with that...

But wait, my system needs to be rebooted after installing some browser updates *cough IE *cough. However, I don't want to. I just started all my things, I don't want to do that again, so I hit close.

... next thing what happends is an EXTREMELY annoying popup taking your focus asking if you would like to reboot. If i'm lucky and didn't hit the spacebar by then, my system doesn't reboot.

Ok, now have a look at choice... Can I turn off those annoying popups??? NO! Just 10 minutes, one hour and four hours... I don't want to be bothered, I reboot my machine when I move to home...

... So I just set it to 4 hours, its the longest time without popups....

And as you might guess, 4 hours later, I was just writing a nice message in word, didn't save the file yet, and BANG, the system reboots. Did it ask for a reboot? Yes! Did I want a reboot. NO! What seemed, that annoying popup already took focus before it was shown, and I was already pressing the spacebar or enter in my word document.

Then, if I'm really lucky, I can save or restore my word document in time....

Now compare that with google. You don't see anything, you don't need to wait for it, you don't need to perfom some steps, you don't have to deal with annoying popups taking focus and performing steps you don't want. It's just happening in the background and thats it.

So yes, I agree with you that choice is a very important thing, and I really like that Windows offers me choice for everything. But I don't have the choice to be NOT annoyed with Windows Update. Not looking to having to reboot all the time, it would be so much better if I could check a setting that says. "Update just everything, and leave me alone".

Enabling this ghost update, keeps my system most secure, doesn't annoy me, not even when I just let it install on shutdown.

So what I'm trying to say is... Google Chrome showed that getting updates can be so much easier and hidden then we have now. Even with Firefox where you need to install updates everytime you launch the application is just as annoying as being popupped with balloons and non-focussed windows update dialogs. Windows Update, Firefox update, can be more smoothy, have a function to be more hidden, not neccisary have to annoy the user everythime something needs to happen. And on that job, I think google did something good.

re: Google Chrome and Silent Patching

M. Schopman — Tue, 12 May 2009 10:55:10 GMT

I don't really understand the UAC comment in your article. If Chrome is able to install in the user context without intervention, then UAC has some serious flaws because malicious software would also be able to install in the user context?

So the problem is in UAC, not in bad practice. Google just used what was available to them, just like malicious software would do.

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 14:31:54 GMT

what the hell is wrong with you people, allowing non-admin installs is a good thing, there is no reason for a browser to have admin rights on a box, EVER

It has nothing to do with malicious software, if the user runs random exe's, thats their problem

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 15:10:00 GMT

asf - if the browser runs completely in the user's context and the user can update it without privilege elevation then so can malicious software. It doesn't have anything to do, strictly speaking, with browsers running as admin, just in a different and protected user context.

Maybe you think it's not a security issue when users run arbitrary exes, but most people think we should at least try.

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 15:33:54 GMT

@Larry Seltzer: and the point is? If some malware is running, then its running, why would it need to mess with google chrome? Its better off installing a shell extension and hopefully see a OTS UAC elevation with separate desktops turned off or use some other hole if admin access is what its looking for

re: Google Chrome and Silent Patching

rhalbh — Tue, 12 May 2009 16:58:26 GMT

@asf: Help me understand your arguments: I do not see the value of Admins? Malware in the case of applications in the user-context today is able to modify the executable from Chrome (as an example) but not from IE as IE is in a directory which is protected.

So, installing in the user-context is defintiely bad practice as it opens a lot of doors.

@M. Schopman: There is no flaw in UAC. You just write to directories you have write access as a user and start the program from there. There is a way to protect from that: Software Restriction Policies which could limit executables to some directories like Windows and Program Files but it is not switched on by default as it would break too much (like Chrome)

@Peter van Dam: I see your point and I have the same probelm. This is because we are taking care of our computers. However, we seem to be a minority. You would not believe how often we sae computers with the update installed but not rebooted (and the reboot today is unfortunately still necessary to fix loaded components). They are still vulnerable then and as a lot of people do not shutdown their PC anymore but put it inot hiberantion or stand-by, this leaves them vulnerable (and giving them a "do not bother me anymore" option is not an option :))

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 17:12:55 GMT

@asf: If the malware is running as standard user it can't install a shell extension. But it could modify Chrome in some way, for example, to steal passwords.

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:16:58 GMT

@rhalbh: installing as non admin does not open any doors, yes, evil stuff could overwrite a exe, but the door would already have to be open for that to happen. (by exploit, or someone running a trojan) My point is, they are already in your system and can access all your documents and saved passwords, a trojan chrome is the least of your problems (Live Mesh does exactly the same thing)

re: Google Chrome and Silent Patching

Larry Seltzer — Tue, 12 May 2009 17:19:15 GMT

And at this point I think it's worth reminding people that Chrome is an open source program. How hard would it be to write a malicious version of one of the major DLLs or the chrome.exe file that works normally except for added malicious functionality?

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:20:34 GMT

@Larry Seltzer: it depends on the config, but in a corp. env, yes probably. But there are a million ways to inject into other processes, and explorer.exe would be the main target probably. CreateRemoteThread or SetWindowsHooksEx does not care about any policy, only thing that stops it is a process running at higher IL (above medium or low depending on the parent process)

re: Google Chrome and Silent Patching

asf — Tue, 12 May 2009 17:23:50 GMT

@Larry Seltzer: you don't need the source of a program to add code to it, all you need to do is carve out some space in the exe and change the PE entry point, virus writers have been doing this for years. I assume chrome is signed so at least it would be possible to tell, but like I have said, if something was able to replace that exe, it's already too late

re: Google Chrome and Silent Patching

Jason — Sat, 15 Aug 2009 06:46:39 GMT

Isn't it what the ClickOnce do?