back to article Google publishes Chrome patch details

Google has belatedly released details of a security update to its newly released Chrome browser, days after it actually pushed out the patch. The update was published on Friday and users of Chrome were automatically updated, but details of the vulnerabilities fixed and performance tweaks only emerged on Monday, via a mailing …


This topic is closed for new posts.
  1. Anonymous Coward

    update indeed

    I was "updated" by google. No details, no notice, no warning. The first I heard of it was NOD32 piping, telling me the application was modified since last time I used. I removed it right away. If Google thinks that my choice to install their browser somehow gives them the right to do with my machine what they like without question or notice they seriously need a reality check.

    It is time that huge echo chamber called the Googleplex opens the windows and checks how the rest of world likes to run their systems. Cheeky sods////

  2. This post has been deleted by its author

  3. Sam

    @Double dekkers

    its in the EULA

  4. Alan
    Thumb Down

    What update?

    i can see no update. My version number is still at the older one, and the UPDATE button in the About box is not there

  5. Sooty

    Not ideal

    "Google has also responded to its exposure to the infamous Safari carpet-bombing flaw by ensuring that desktop is not the default directory for downloads"

    Allowing code to be downloaded without permission is bad enough. All it needs is for a website to exploit this to put certian illegal pictures on your hard drive and automatically report your ip to the police.

    not being on the desktop isn;t really going to help you there.

  6. Eddie Edwards

    They don't

    "If Google thinks that my choice to install their browser somehow gives them the right to do with my machine what they like without question or notice they seriously need a reality check."

    No, I think they only update Chrome.

    "If Google thinks that my choice to install their browser somehow gives them the right to update it automatically with fixes for severe bugs they seriously need a reality check."

    There, fixed that for you.

  7. This post has been deleted by its author

  8. regadpellagru


    "The first of the two critical bug fixes addresses a buffer overflow bug in handling long filenames"

    Here we go again. New browser, lesson 1.

    One decade after Netscape ...

    Good luck, guys :-)

  9. Evgeny

    To update or not to update

    Being updated without being force to go through dialog hell and reboots (IE case), it imho a good thing. Makes the botnets smaller.

  10. Anonymous Coward

    @Rik Hemsley

    You're telling me you're quite happy for people (I don't care if those people are google or not!!) to just go installing/removing/updating software on your computer without permission!?!

    And don't say it's in the EULA - we all know how well that was read over before chrome was released!

  11. sabroni Silver badge

    Why i don't like being updated without being informed

    because if there's a silent update mechanism that can be compromised. Duh!

    We already know chrome shipped with a buffer overflow error (wow, that's an unusual one) How do we know that error can't be used to trigger the update mechanism maliciously?

    When microsoft started pushing out updates silently it was deemed a bad thing. This is no different. Why haven't google allowed users to configure the update process? If you trust them with your pc then you enable silent updating. Personally, I like to know when my executables are fussed with so I prefer a "Updates are available" dialog. It's just politeness!!!

  12. Dave B


    Any other observant souls noticed this process running 24/7 on their system, even without Chrome having been used in days? Those same souls have maybe observed that, just like spyware, if you deselect it in MSConfig, it overrules you and reloads next startup regardless.

    Nice one, Google.

  13. Mark McC

    Re: Bitching about automatic updates

    Google said >"The Software that you use may automatically download and install updates from time to time from Google. These updates are designed to improve, enhance and further develop the Services and may take the form of bug fixes, enhanced functions, new software modules and completely new versions. You agree to receive such updates (and permit Google to deliver these to you) as part of your use of the Services."

    By participating in Google's public beta testing, you agreed to the program automatically updating itself. If you want a browser that doesn't do this, try Firefox, Opera, IE, Safari, Konqueror or any of the others that aren't still in the early beta stages.

    Alternatively, uninstall Chrome and wait for the 1.1 release which will probably have an option to disable this (or at least, make a note in your will asking you grandchildren to install it).

    /mine's the one with the EULA printout in the pocket.

  14. Dave Morfee

    Sneaky buggers

    I can see Gregs point, everyone called foul at MS for being semi sneaky with its updates, but for them to update the software silently, without informing the user is a bit worrying.

    Of course it would be interesting to see if they could update Chrome, on Vista with UAC working, I wonder if it would throw up a prompt?


  15. Tim


    For those wondering how it updates:

    Earlier today I saw a process called GoogleUpdate.exe running as I was looking at task manager. It was running away even though Chrome wasn't loaded. Chrome installs it as a scheduled task, keeping the .exe in Local Settings/Application Data/Google which is not the right place for it. Here's what the tasks' properties has to say:

    "Google Update Task keeps your Google software up to date. If Google Update Task is disabled or stopped, your Google software may not be kept up to date, meaning we can't fix security vulnerabilities that may arise, and features in your Google software may not work. Google Update Task uninstalls itself when there is no Google software using it. It may take a few hours for Google Update to detect it is time to uninstall."

    It's still running now despite me not having Chrome loaded at all today, so that's a load of bollocks.

    I've uninstalled the whole lot now as I don't like this sort of stealth, background thing being installed without me knowing about it. Firefox is faster anyway and it's not worth the risks just to have gmail running in a window without an address bar.

  16. Robert Harrison

    @Rik Hemsley

    "Why don't you want to be updated without being informed?"

    You must be new here. If feature X worked yesterday but no longer works today *because* the silent update introduced a bug with the new release, I am sure that you would like some clue as to what has changed in the system. Or maybe you don't :o)

  17. TimM


    First thing that's important to stress is browsers will always need security updates. So let's get that out of the way.

    Now the key issue really, is just how well Google can cope with updates.

    This is really I think how Chrome will be judged. It's a rather good browser otherwise, considering it's a beta. There are missing features of course and a few minor rendering issues (no surprise given it's currently using the 3rd or 4th placed engine which gets overlooked a bit by developers), but otherwise it's looking very promising.

    So that really leaves response to security issues as a priority and if it's not addressed properly then it could be the browser's downfall.

  18. Anonymous Coward
    Paris Hilton

    @ Eddie Edwards

    if by "there, fixed that for you" you mean "there, I changed your words to match my world view, and I feel much better now" then you are right. Otherwise, you are not, and changing my words around is not going change the facts, or my opinion of the facts.

    If Google is messing with my system without notice or approval it matters nothing if they only touch the Google app or not. even more so because I don't have the Google updater installed or running.

    If they cannot be trusted to respect my wishes when I explicitly say so (as in, remove the updater), they certainly cannot be trusted to keep their updates only to the browser.

    Paris, because even she has the ability to articulate what she wants to, without needing to be "fixed"

  19. Andy Livingstone


    See, it really is possible to have an article about Chrome without resorting to unnecessary profanities.

  20. Christopher
    IT Angle

    The application failed to initalize properly (0xc0000005)

    Wonderful patch can't actuly do anything now, just get "The application failed to initalize properly (0xc0000005)" and an aw snap window. Very user friendly Google!

    What rubbish I'm not going to reinstall I am going to uninstall and stick to opera and firefox

  21. Chronos

    Re: update indeed

    Never mind, DD, at least we have this lot to be crash test dummies for us. I didn't bother to try it: I just paid heed to the sound of a thousand files being altered without the owners' permission, along with the possibility of browsing habits being sucked in at a force of several kiloLovelace - hearsay, natch, but they're an advertising company. One of Brin's papers in 1998 was specifically concerned with mining as much useful data as possible from large sets. What else would they produce a web browser for? I suppose you think they go on an abandoned kitten search every Wednesday afternoon, too? This may have led me to conclude that this software is possibly, nay, probably not for me. Besides, I can't be arsed to compile WINE [1] just to try another sodding web browser that will probably annoy the hell out of me anyway, even if it does run Java'scrap really, really quickly for "The Cloud," whatever the chuff that is ;)

    My hardware, my borrowed electrons, my node, my rules! You may like your hardware running around complying with any old munchkin's orders or your data/documents/life sitting on some goon's storage but I prefer to have control. YMMV, NAWPBL, SWW etc.

    If you think this reads as unduly offensive, it's because I'm having one of those days where the lusers think it's safe to crawl out of the risers and floor space and actually try to interact with me (they scuttle back in making gurgling and clicking noises when I exceed their capacity of two syllables per word), so I'm not feeling particularly empathic or sympathetic, especially toward people who think it's OK to let all and sundry muck (I originally began that word with an F) about with other people's shit whenever they feel like doing so on the sly and then gape incredulously when someone points out that it really isn't cricket, to the point that it looks like they're taking the piss out of the one sensible comment in this entire Google-adoration-fest of a thread. It's a web browser produced by an advertising and data-mining company. It's not first contact, the second coming, the breaking of the third seal or the fourth horseman, although it looks suspiciously akin to the latter with regards privacy, as do most things Google have come up with recently.

    [1] No, it is not Linux. What is it, then? Mind your own sodding business.

  22. Dan Silver badge

    Why i don't like being updated without being informed

    I don't know about you but if I'm in the middle of something that has to be finished yesterday I always reject updates until I've finished it.

    As Christopher has shown.

    In my case, if I have all my programming bookmarks in one browser and it goes down that's half-an-hour to an hour lost either re-installing an earlier version or fishing the bookmarks out of the broken browser and moving them across to another.

    Of course, I'm not as Web 2.0 as Google and therefore my code can't be in a perpetual state of beta-ness like Google's can.

  23. Anonymous Coward

    Bit confused here:

    You mob are running the first release of beta software, and are complaining that there's bugs, holes and other undesirables in it?

    On top of that, you're pissed that the software forces updates on you? The (assuming now, but seems safe to do so) point of the public beta is to evolve the software. The software isn't going to evolve if you slap an approval on upgrade, because only a percentage of people will allow it, diluting your beta numbers.

    You can argue with Google's "Beta- forever" policy, but you can't avoid the fact that they'll want as many people as possible running the latest code, for as long as possible.

  24. Bill Gould
    Gates Halo


    The Chrome update actually does require you to close and restart Chrome (because it doesn't integrate with the OS that doesn't need to be restarted).

    If they have an update, tell me there's an update, provide a link to details regarding said update and ask me if I want to download and install it.

    Bad form Goog, bad form.

  25. Dave Bell

    Yeah, it's a Beta

    You should expect updates.

    But if you're beta testing, isn't it a good idea to keep the testers well-informed.

    "It's on the blog!" isn't good enough.

  26. Anonymous Coward
    Thumb Up


    you win a pint!

  27. Anonymous Coward

    @Tim re: "Updates"

    >"It's still running now despite me not having Chrome loaded at all today, so that's a load of bollocks."

    Clealy, sir, hace misunderstood. What they mean is that if you uninstall Chrome (and any other google apps that you might have installed, e.g. google earth, google toolbar, 'lively', whatever that is, since they all use the same updating mechanism - GoogleUpdate.exe isn't new with Chrome), it will uninstall itself, not that every time you close the browser it stops executing.

  28. Anonymous Coward

    Hmmm Chrome

    Is new

    Is shiny

    Is chrome

    Is silently updating


    Is now uninstalled

  29. bobbles31

    re Chronos

    Hark at the legend in his own lunch hour.

    Your comments remind me why I detest large swathes of the IT community. Grow up and face the fact that google et al don't give a fuck (I have no compunction with the f) what you think. They are producing a browser for the majority of the internet community and I'm afraid their isn't snotty geeks who know how to install an operating system. [1]

    I agree that allowing anyone to update your computer without permission is a bad idea. But, until something bad happens to the majority of internet users, who trust their most intimate information to Facebook and haven't got a clue what updating their browser means, let alone entails, auto updating of this nature is probably the best approach. Remember we are talking about a user base potentially as young as 7 and as doddery as 70.

    I apologise that I didn't use long words in my post.

    [1] No one gives a fuck which one it is....jumped up Muppet

  30. Anonymous Coward


    This article has been up a whole day and only 29 comments about the lack of control over the silent updates - and some of those are actually supportive.

    If this was MS, this comments section would be well over 100, people complaining (and rightly so) about a company installing stuff on their computer without their permission and generally bitching about how evil MS are and how you can't trust them.

    What makes google any different? They want to mine your data to make a larger profit from their advertisers. They want to prostitute your browsing habits to make money, but because it's google and not MS everything's ok?

    I think this just proves the point that far too many people recently have jumped on the 'lets bitch about MS' bandwagon and the rabid anti-ms comments you get most of the time are nothing to do with the posters principles - they are just foaming at the mouth because it's that big bad boogeyman - Microsoft.

  31. PT

    Silent Updates

    I'm a bit late to this thread, but I have to comment. I was working away hard on improving my Spider average score when the firewall popped up a warning - "SETUP.EXE is trying to access the internet". WTF?!? I killed the process. A few hours later it happened again. This time, after a bit of effort, I was able to find out what subdir the suspicious Setup was running out of, and a few minutes later Chrome was GONE.

    Hint to Google - don't make your product look and behave like a fucking spyware bot. Identify its components by recognizable names, like Chrome_Setup, and prompt before updating - or at least give us the choice.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022