AnsweredAssumed Answered

Dealing with Old-Chrome Vulnerabilities

Question asked by Robert Geiger on Jun 27, 2014

Hi, All...

 

I searched in the archives and didn't see this discussed anywhere -- which surprises me given how widespread Chrome is in most enterprises.

 

These Chrome vulnerabilities multiply like rabbits and are generally Severity 4 vulnerabilities, with 50+ different QIDs, but the descriptions all look something like this:

 

Google Chrome Prior to 28.0.1500.95 Multiple Vulnerabilities

Google Chrome Prior to 29.0.1547.57 Multiple Vulnerabilities

Google Chrome Prior to 30.0.1599.101 Multiple Vulnerabilities

 

The Results field usually points to where the vulnerable file is, like so:

 

%systemdrive%\users\{username}\AppData\Local\Google\Chrome\Application\15.0.874.106\chrome.dll file version is 15.0.874.106

 

We have found in testing that simply going out and blowing away these old directories gets rid of these vulnerabilities... The problem?  How to scale that solution across hundreds of offices and tens of thousands of users in a global organization?

 

And, yes, our homework has uncovered OldChromeRemover (see http://singularlabs.com/forums/topic/oldchromeremover-remove-obsolete-google-chrome-versions/) but before we resort to deploying that or trying some other brute-force method of removing all of these defunct Chrome directories, I wanted to see if anyone else in the community has encountered this.

 

If you have, and manage this in a large organization, how in the world did you deal with it?

 

Thanks very much in advance.

 

Bob

Outcomes