On 12/12/2009 8:18 PM, Edward Ned Harvey wrote: >> As I commented in another answer, Chrome doesn't install in the "usual" >> locations. Check: >> >> c:\users\<username>\AppData\Local\Google\Chrome\Application >> >> This doesn't require elevated privs, because the directory structure is >> owned by the user. The same applies to XP as well, it'll install it in >> the docs and settings folder instead. > > Ahh. > Yes, so it does not require elevated privs. But I still expected nothing > should run at all without confirmation. You don't need elevated privs to > delete all my files, or read my mail, or send mail on my behalf, or popup > windows with porn in them...
I believe part of the reason you don't get any prompts is the installer is probably digitally signed. You can pick up a signing key from most of your SSL providers (Verisign etc). The problem is, most spammers, hackers, etc, won't get a signing key because it makes traceable evidence. > I'm not sure if you need elevation to log my keystrokes or otherwise capture > my credit card info. > > Clearly, if bad guys can repeat what Google did, there is a lot to risk > here. They would only need to get you to click one link, which looked legit > at the time. Repeating it is relatively easy, just grab a copy of Visual Studio, options are all in there. The signing part makes things a little more complicated though. That being said, there is nothing to stop Google from bundling stuff in their ClickOnce installer, but then again, nothing stopping anybody from doing that. A quick search on your favourite search engine seems to hint that Chrome is installed using ClickOnce [1]. More details on the technology can be found on the MSDN site [2]. Interesting to see that Google is using a Microsoft technology for deployments :) [1]: http://googlesystem.blogspot.com/2009/03/standalone-offline-installer-for-google.html [2]: http://msdn.microsoft.com/en-us/library/t71a733d%28VS.80%29.aspx -- Jon Angliss <j...@netdork.net> _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
