Google Chrome Security/Privacy Issues?

[R00k]

Is anybody aware of any security issues with the Chrome browser?

Several people on my network have installed it on their machines without my knowledge, and I've been trying to find out more about it. One thing that I certainly don't like is that normal users (non-administrators) can install it on their machines, because it only installs to the "C:\Documents and Settings\[UserName]\Local Settings\Application Data\" folder. It does not touch the Program Files directory or write anything to the Local Machine registry hive. Therefore, it does not show up in control panel, and does not show itself to network software inventories.

So there is essentially no way for me to even tell which machines it is installed on, without manually looking at every computer - which is not going to happen. I'm not the biggest Network Nazi in the world when it comes to these things, but internet browsers have inherent security flaws and -- at the very least -- need to be patched/updated from time to time. If users are installing these themselves, and I have no idea whether or not they are installed, then there is also no way for me to make sure they are getting updates, and running on the latest/most secure version.

Searching online for chrome security issues doesn't yield any results newer than the beginning of September, which is around the time it was released.

I am thinking about using my virus software to block the application from running across our whole company, TBH.

What do you guys think?

[Foo]

uh yeah, it's by google. That means everything and anything you do with it is scrutinised by the one company on this planet that is absolutely the best at what they do. Which is analysing data.

So, you know. Duh.

[R00k]

Who pissed in your pasty-flakes this morning?

[Foo]

Eh seriously though... a new browser with a new rendering engine. It's going to go through a bunch of serious security flaws before it's locked down enough to trust.

Happened to ie, opera, and firefox. Google's programmers might be good and may have learned a lot from those that have gone before them, but it'd take something exceptional to launch a new browser engine without exposing its users to a bunch of serious risks for at least the first few years.

Having said that, on specifics... I have nothing in this case.

As regards locking down users... shit yeah, do that. But your av/endpoint and gateway security should be tight enough that it doesn't really matter what your clients are doing... If opening up to potentially-vulnerable browsers would pose a problem for you then you should both look at locking down the workstations but more importantly tightening up your perimiter so that ultimately it wouldn't matter.

At the most basic level, block the exes with AD just to deter the casual crowd. Maybe go on hash values if you're feeling frisky.

[R00k]

Actually it's not using a new rendering engine, it uses the WebKit engine.

I honestly hadn't considered blocking the executable in AD though. I had already blocked it with an a/v policy before my last reply, but I may go back and do it with AD instead.

But this bit you mentioned simply isn't true:

But your av/endpoint and gateway security should be tight enough that it doesn't really matter what your clients are doing... If opening up to potentially-vulnerable browsers would pose a problem for you then you should both look at locking down the workstations but more importantly tightening up your perimiter so that ultimately it wouldn't matter.

We have strong firewalls, and access lists on our outside routers to block unwanted traffic, as well as Group Policy applied to our PCs, but these things can't prevent users from clicking on the wrong button on a website and having their browsers/machines hijacked.

The only completely secure, functional network is one that doesn't have humans using it.

[Foo]

Losing a workstation vs losing a chunk of your machines when you get a spreading threat is a different matter. Losing individual machines from time to time I can cope with. Heck I consider it business as usual though I realise that might be a shit-storm of a controversial position.

If your software inventory, document redirection and imaging solution are all in order then it should be a case of dropping off a fresh workstation and picking up the damaged goods.. maybe a formal warning to the user that 3rd party software is prohibited and problem solved... for the one or two problem users that will cause this I'm not sure it's worth busting a gut fretting over the right preventative measures.

That said, the state of our current deployment is a royal fucking mess because the engineer entrusted with the AV responsibility is taking the piss with spinning out 5 minute jobs into month-long farces.... the knock-on problems this causes us I can't begin to describe. So... my theory is good but fucked if I can demonstrate it in action at this current moment in time

[R00k]

Oh, but that's half the point: if a user can get his own machine infected in any way, then it is conceivable he can infect other machines. There are a lot of nasty critters out there that have been written to do exactly that.

If you go at security with the idea that "we can afford for one machine to get infected," you'll be in trouble sooner or later.

That engineer reminds me of a guy I work with. He's had 3 different projects on his plate for over 4 months now and none of them are finished. Now that our boss has been laid off, I'm sure he'll be able to milk them for a couple more months at least. Nice way to hide the fact that you have no clue what in hell you're doing.

He needs to stick to Ghosting PCs.

/rant

[Foo]

Just to give a specific example. We recently migrated to a new IP range and one of the last jobs was to migrate the statically-assigned printers across as well. Creating new ports and assigning the printers onto them was apparently too difficult.. so he's gone through and edited all the ports to reflect the new IPs... except the port names are still the old IP addresses. So to make it 'clearer' he put the new IPs into the comment field for each printer. Well, about half the printers. And in AD the comments field is exposed to the user in various places as the only descriptive field about the printer.... so... agh.

I can't contemplate the genius that it takes to wrap things up into so many knots.

[R00k]

That's nearly identical to a project my co-worker has been taking forever on -- except we aren't even changing IPs.

Printers are being migrated from one server to another, and he's decided to 'clean them up' in the process. Nothing wrong with that of course.
But it took him over 2 months to tell our boss that it simply couldn't be done on a 2003 virtual machine running on a 2008 server (which was the plan), and furthermore that there was no way to automate the printer migration.

After that, I built backup DNS & WINS servers on a 2003 VM on that same box, and in an afternoon they were live. And a couple of years ago, I automated the migration of all those exact same printers to a different 2003 server in like a week.

So not only was he wrong, but I'd gone and done the things he said couldn't be done twice, and in both cases in much less time than it took him just to decide that they were impossible to do.



i'm sorry, did i rant again?