Google Chrome installs on a “per user” basis. That means the application installs to the user’s profile rather than on a system wide basis. The user doesn’t need to have local administrator rights in order to perform the install. That works great if you’re into corporate chaos, or you just don’t want to have to contact an administrator to install Chrome. It doesn’t work so well for multi-user computers. Bob, Sally and Joe each individually install Chrome. The Chrome application directory is north of 100 MB and has a tendency not to remove old versions. That’s a lot of space.
And what about updates? Google has been praised for their silent update of Chrome, but that only works for the logged on user. The other user profiles aren’t updated until they are used.
Is this even a problem? A classic argument. The vulnerable version of Chrome isn’t running. It should update if it is ever used. Unfortunately, it shows up on the vulnerability scan results. So it is hard to ignore. How could I tell the difference between a Chrome version that hasn’t been using and one that has?
After a bit of investigating, I found evidence that Chrome had been installed on this computer as a user named Template. This profile was then copied to the default user profile. The default user profile is the basis for every new user account, so every user after that had Chrome in their user profile. I doubt this was intentional or that Google ever said this was a way to make it available to all users on a system. I don’t know for sure.
At this point, I have a set of lab type computers where over time multiple people have logged in. Each user profile is seen as having a vulnerable version of Chrome. The best thing I can figure is to perform a manual uninstall of Chrome from each user profile. If I attempt a regular uninstall it fails because I am unable to delete the registry keys required in the uninstall script. It attempts to delete registry keys from hkey_current_user. That works for the logged on user, but not when remotely trying to remove all instances of a chrome install.
I think I’m left with a tedious manual process.
Google now has a MSI install of Chrome. This would install for all users and be updated once. Only downside is it requires admin rights to update. But that is no different from any of the other unsupported third-party software that is put on these computers. Going forward, that would be a much better method if we want to run Chrome on these computers.