Google Chrome and Silent Patching

This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without letting the user know, even if Chrome is not running and there is no way to disable this. Here are some of similar stories:

Give me a break here.

I am really tired of hearing those things. When Chrome shipped, three things actually hit my inbox:

  • Chrome was shipped (in a Beta) with a few pretty significant vulnerabilities in, which were known for quite a while (like the carpet bombing flaw). The excuse by Google was “it is just a beta”. Tell me please, how you would comment if we would have done the same with Windows 7.
  • I got quite some mails by angry customers and journalists telling me that Chrome found a way around User Account Control as Chrome installs without UAC kicking in. Journalists called as they claimed to have found “a severe vulnerability”, customers called as they were angry with us as Chrome simply popped up all over the place in their network even though their user were non-admin. Well, well, Chrome simply installs an executable in the user context. Directories which the user has write permissions. So, for sure Chrome can install – really bad practice in my opinion.
  • There was a pretty strange paragraph in the EULA which was then removed later.

And now the silent patching. A few years back, when we designed Windows XP SP2 we talked about switching Automatic Updates on by default. This caused a lot of people screaming and telling us that it is unacceptable to switch AU on by default (which we actually do in the meantime). We recently updated the Windows Update client – and it caused a lot of you to scream and tell us that it is unacceptable for us to silently update a component on Windows. And we heard you loud and clear. And now I hear that Chrome is best practice because they silently fix security vulns? And you cannot even switch this off? So, what is the policy the industry shall follow?

I agree that the most secure way for consumers would be to automatically fix security vulns. This is actually what I tell my parents: Simply install security updates. This is for consumers and there is an option. Not having an option is unacceptable – at least for me. Additionally, again for the consumer, having Anti-Malware being part of the Operating System out of the box and enable by default would be desirable. However, this is not acceptable today for competition reasons.

So, what I do not get is why people do not look at these problems holistically and more from a policy perspective rather than from a company by company perspective. Silently installing components without even giving me the option to choose is not acceptable today for me – but I want to have the option to do it if I want.

And finally: I would question the enterprise-readiness of such software. At least, I would never deploy it in an enterprise environment.


Digg This
Comments (18)
  1. Anonymous says:

    I do not see the difference either. It is more about silently installing stuff – for free or not for free does not matter at al (and by the way, if you have any Windows, all the versions of IE are available to you for free as well – does this mean silently updating IE would be fine for you?)


  2. Anonymous says:

    @asf: Help me understand your arguments: I do not see the value of Admins? Malware in the case of applications in the user-context today is able to modify the executable from Chrome (as an example) but not from IE as IE is in a directory which is protected.

    So, installing in the user-context is defintiely bad practice as it opens a lot of doors.

    @M. Schopman: There is no flaw in UAC. You just write to directories you have write access as a user and start the program from there. There is a way to protect from that: Software Restriction Policies which could limit executables to some directories like Windows and Program Files but it is not switched on by default as it would break too much (like Chrome)

    @Peter van Dam: I see your point and I have the same probelm. This is because we are taking care of our computers. However, we seem to be a minority. You would not believe how often we sae computers with the update installed but not rebooted (and the reboot today is unfortunately still necessary to fix loaded components). They are still vulnerable then and as a lot of people do not shutdown their PC anymore but put it inot hiberantion or stand-by, this leaves them vulnerable (and giving them a "do not bother me anymore" option is not an option :))

  3. Blake Handler says:

    Unfortunately Roger, Microsoft is held to different, and more stringent standard than the rest of the tech World.

    Google, Apple, Adobe & Sun can all install "additional" software that have nothing to do with the software package think you’re installing. (i.e. toolbars, Bonjour, Safari & Chrome). These companies do not have to address security breaches in a timely fashion, nor even engage in an open dialogue with their customers. Google & Yahoo are selected as default selections on Apple products, but Microsoft must also have their competition’s software available as defaults.

    I prefer supporting a company with "higher" standards like Microsoft. Even when you’re "wrong" you’re "transparent" about it!

    Blake Handler -Microsoft MVP

    "The Road to Know Where"

  4. Larry Seltzer says:

    Let’s talk a little more about installing executables in the user context. Presumably this is a bad idea because malicious software run in the user context also has permission to write there?

  5. Hans Remmerswaal says:

    An interesting discusion point, although I don’t think that automatic updating an operating system (which you have to buy) can be compared with the automatic updating of a browser (which is for free)…

  6. Larry Seltzer says:

    You don’t have to buy any operating system, and why would that make a difference anyway?

  7. Emmanuel Mesas says:

    To contribute to the post – here is another view of the industry (competition) about Microsoft pushing updates via Windows Update – not even being automatic !!

    Google is not one of the claimers, but we knoe why …

  8. Peter van Dam says:

    I always loved the automatic updating in Google Chrome and personally I would have loved the same experience in Windows.

    Not looking to those shouting people I think Google showed that automatic updating doesn’t have to be as annoying as updating Windows.

    In Windows 7 you get a balloon tip (something that I guess was already promised to be not there, but in the action center) telling updates will be installed later today, and that the pc might need to be reinstalled.

    The first notice…

    So I noticed it this morning, and I want to be secure, so I visit Windows Update to update my machine. I see security updates, I see optional updates, but to install them both, I need to perform loads of steps. (open optional updates, check them. Press ok, then click install)… However, it installs pretty quick, nothing wrong with that…

    But wait, my system needs to be rebooted after installing some browser updates *cough IE *cough. However, I don’t want to. I just started all my things, I don’t want to do that again, so I hit close.

    … next thing what happends is an EXTREMELY annoying popup taking your focus asking if you would like to reboot. If i’m lucky and didn’t hit the spacebar by then, my system doesn’t reboot.

    Ok, now have a look at choice… Can I turn off those annoying popups??? NO! Just 10 minutes, one hour and four hours… I don’t want to be bothered, I reboot my machine when I move to home…

    … So I just set it to 4 hours, its the longest time without popups….

    And as you might guess, 4 hours later, I was just writing a nice message in word, didn’t save the file yet, and BANG, the system reboots. Did it ask for a reboot? Yes! Did I want a reboot. NO! What seemed, that annoying popup already took focus before it was shown, and I was already pressing the spacebar or enter in my word document.

    Then, if I’m really lucky, I can save or restore my word document in time….

    Now compare that with google. You don’t see anything, you don’t need to wait for it, you don’t need to perfom some steps, you don’t have to deal with annoying popups taking focus and performing steps you don’t want. It’s just happening in the background and thats it.

    So yes, I agree with you that choice is a very important thing, and I really like that Windows offers me choice for everything. But I don’t have the choice to be NOT annoyed with Windows Update. Not looking to having to reboot all the time, it would be so much better if I could check a setting that says. "Update just everything, and leave me alone".

    Enabling this ghost update, keeps my system most secure, doesn’t annoy me, not even when I just let it install on shutdown.

    So what I’m trying to say is… Google Chrome showed that getting updates can be so much easier and hidden then we have now. Even with Firefox where you need to install updates everytime you launch the application is just as annoying as being popupped with balloons and non-focussed windows update dialogs. Windows Update, Firefox update, can be more smoothy, have a function to be more hidden, not neccisary have to annoy the user everythime something needs to happen. And on that job, I think google did something good.

  9. M. Schopman says:

    I don’t really understand the UAC comment in your article. If Chrome is able to install in the user context without intervention, then UAC has some serious flaws because malicious software would also be able to install in the user context?

    So the problem is in UAC, not in bad practice. Google just used what was available to them, just like malicious software would do.

  10. asf says:

    what the hell is wrong with you people, allowing non-admin installs is a good thing, there is no reason for a browser to have admin rights on a box, EVER

    It has nothing to do with malicious software, if the user runs random exe’s, thats their problem

  11. Larry Seltzer says:

    asf – if the browser runs completely in the user’s context and the user can update it without privilege elevation then so can malicious software. It doesn’t have anything to do, strictly speaking, with browsers running as admin, just in a different and protected user context.

    Maybe you think it’s not a security issue when users run arbitrary exes, but most people think we should at least try.

  12. asf says:

    @Larry Seltzer: and the point is? If some malware is running, then its running, why would it need to mess with google chrome? Its better off installing a shell extension and hopefully see a OTS UAC elevation with separate desktops turned off or use some other hole if admin access is what its looking for

  13. Larry Seltzer says:

    @asf: If the malware is running as standard user it can’t install a shell extension. But it could modify Chrome in some way, for example, to steal passwords.

  14. asf says:

    @rhalbh: installing as non admin does not open any doors, yes, evil stuff could overwrite a exe, but the door would already have to be open for that to happen. (by exploit, or someone running a trojan) My point is, they are already in your system and can access all your documents and saved passwords, a trojan chrome is the least of your problems (Live Mesh does exactly the same thing)

  15. Larry Seltzer says:

    And at this point I think it’s worth reminding people that Chrome is an open source program. How hard would it be to write a malicious version of one of the major DLLs or the chrome.exe file that works normally except for added malicious functionality?

  16. asf says:

    @Larry Seltzer: it depends on the config, but in a corp. env, yes probably. But there are a million ways to inject into other processes, and explorer.exe would be the main target probably. CreateRemoteThread or SetWindowsHooksEx does not care about any policy, only thing that stops it is a process running at higher IL (above medium or low depending on the parent process)

  17. asf says:

    @Larry Seltzer: you don’t need the source of a program to add code to it, all you need to do is carve out some space in the exe and change the PE entry point, virus writers have been doing this for years. I assume chrome is signed so at least it would be possible to tell, but like I have said, if something was able to replace that exe, it’s already too late

  18. Jason says:

    Isn’t it what the ClickOnce do?

Comments are closed.

Skip to main content