The Windows version of Google Chrome is one of the most widely used browsers. And Google is now tightening restrictions on browser extensions that install themselves without full notification to users.
This may be frustrating for companies that bundle browser extensions with their standard user download packages. But it will make the Chrome browser more secure and set a positive security example for browser extensions generally. And for the IT community at midsize firms, this is a welcome development.
Browser extensions have become an all too popular vector for malware exploits. This makes better protection of browsers good news for all users–not just individuals using a browser to surf the Internet, but companies that depend on the open Web to reach out to customers.
As Seth Rosenblatt reports at CNET, Google Chrome for Windows will now require most browser extensions to get explicit user acknowledgment and permission before the extension can be installed. Two new features in Chrome 25 will enforce the new rules.
The only extensions exempt from the new requirement are those that come directly from the Chrome store, and are thus under the Google aegis.
According to Peter Ludwig, Chrome product manager, the previous policy of allowing silent installation of third-party extensions had been “widely abused” to install extensions “without proper acknowledgement from users.” Henceforth, third-party extensions will be disabled by default. A notification box will say that an extension has been installed and give the user the option of enabling it.
Another feature in Chrome 25 will make this protective functionality retroactive. Existing third-party extensions will be disabled, with a prompt allowing users to re-enable them.
In Line With Mozilla
The new protective functionality brings Chrome into line with Mozilla Firefox, which already requires notification by third-party add-ons. The move may be unwelcome by some companies and other organizations that have incorporated browser extensions in their uploads. But comments on the CNET piece were strongly supportive of the move.
IT professionals at midsize firms have a strong stake in measures that strengthen browser security. Browsers are users’ doors to the open Web, an environment that allows midsize firms to compete on an even playing field.
The mobility era is already posing a challenge to the open Web, as app-ification and walled gardens make the full Web harder to reach. The continued availability of safe, secure browsers is a key protection against the fragmentation of the Web and dominance by large vendors. This makes the latest Chrome for Windows protections a very good move for midsize firms.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.
Google’s latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions.
Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the goo.gl URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist.
While many of the extensions are accidentally installed by users who were tricked into downloading it, many were installed without the user’s knowledge by other dodgy applications using Chrome’s auto-install feature. To address that problem, Google has removed auto-installs in the latest version of Chrome.
No More Auto-Installs
Google originally included the auto-install feature to allow applications to install an additional Chrome extension during its own installation process. This was intended to simplify the installation process so that users didn’t have to add the extension manually afterwards.
“Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users,” Peter Ludwig, a product manager at Google, wrote on the Chrmoium blog.
Chrome (version 25 for those counting) will now block an application trying to auto-install an extension Google and display an alert informing the user about the new extension and list some of the things it can do (such as “Access your data on all Websites” and “Read and modify your bookmarks”).
Chrome 25 also automatically disables any extensions that were previously installed using the auto-install feature. If the user wants to re-enable the extension, the browser will display a one-time prompt explaining what each extension wants to do before allowing them to be turned back on.
Stopping Malicious Extensions
Google also appears to have a new service which analyzes “every extension that is uploaded to the Web Store and take down those we recognize to be malicious,” according to the support pages for the Chrome Web Store. There isn’t a lot of information about the service at this time, so it’s not known whether Google is using an automated scanner similar to Google Bouncer checking app in Google Play (or if Bouncer itself is handling both markets).
Google has recently cracked down on extensions. Back in July, Google changed Chrome so that users could only install extensions found in the Chrome Web Store, and not from third-party sites.
Google product manager Peter Ludwig recently announced that the upcoming Chrome 25 for Windows will prevent the installation of browser extensions without user approval.
“Until now, it has been possible to silently install extensions into Chrome on Windows using the Windows registry mechanism for extension deployment,” Ludwig writes. “This feature was originally intended to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application. Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgment from users.”
“In order to prevent this type of abuse, starting with Chrome 25, the browser will automatically disable all previously installed ‘external’ extensions and will present users with a one-time dialog box to choose which ones they want to re-enable. … Mozilla implemented a very similar mechanism over a year ago in Firefox to prevent extensions installed offline by other programs from being enabled without user confirmation,” writes PCWorld’s Lucian Constantin.
“Google recommends that Windows developers use their inline installation mechanism for adding extensions in the future,” The H Open reports. “This allows extensions to be served from Google’s Chrome Web Store in the background while appearing to be installed from the extension developer’s web site.”
Tags: Peter Ludwig