Feeds

back to article Google to scan Chrome extensions, bans auto-install

Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser. Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions. Security outfit Webroot …

COMMENTS

This topic is closed for new posts.

Page:

Facepalm

Shame when your main selling-point turns out to be a massive pile of steaming fail...

2
12
Bronze badge

Not sure what you're referring to specifically.

Did Chrome claim to be immune to nasty plug-ins or something?

8
2
Anonymous Coward

Yep, Good to be OPEN

1
0
Silver badge

After all the 'this is the fastest most secure browser ever'........

Thankfully I don't use it.

1
0
Anonymous Coward

How long was I being f***ed by this browser before they found out about this?

Should have stuck with IE at least they've been honest with their vulnerabilities.

2
9
Bronze badge
Facepalm

@AC 11:23

"Should have stuck with IE at least they've been honest with their vulnerabilities."

LOL! Ha ha ha! ROFL! Ha ha! Oh Jesus, stop it, oh dear Lord, before my sides give way!

7
2
Unhappy

"Thankfully I don't use it."

Sadly for the rest of us, you do use a browser.

6
1
Silver badge
Windows

Dur-

The posts about Surface are that-a-way...

0
0
Facepalm

OMG!!!!

Someone exploits browser plugins loophole? Well, I never saw that coming. It was just so unexpected I can see why the Google overlords haven't put this protection in until now...

3
1
Anonymous Coward

malware-ridden quagmire

good description of the internet.

10
0
Thumb Up

Re: malware-ridden quagmire

After a recent marathon of watching Family Guy the only thing that came to mind off that title was Quagmire standing at a toilet talking about it burning when he takes a leak....

0
0
Anonymous Coward

Talk about closing the stable door after the horse has bolted.

Google really are the new Microsoft. Releasing poorly secured "powerful" products and then retrospectively having to try to fix the security problem without breaking too much or annoying users (next to impossible).

Try and design a good secure product from day one please.

9
6

@ac 23:11

I'm really not a Google fan as you'll see if you look at my other comments but I think you are being really unfair. Chrome did advance the state of browser security with automatic updates and not relying on Adobe for Flash fixes. This seems to be reducing a threat that occurs when software has already run as the local user on the PC.

7
2
Silver badge
Trollface

"Try and design a good secure product from day one please."

You do it, if you're so clever.

7
3
Bronze badge

You do it, if you're so clever.

Very true. One problem that always crops up is that when you leave a door open to help somebody, it is only a matter of time before somebody else uses it to steal the crap that lies inside.

I've never been a fan of total automation myself because of situations like this one. If anything, it's one reason why I have avoided Chrome up until now, though I'm not completely happy with Firefox's setup either. But the feature was there with the best of intentions. Coding is often a thankless task.

I might not like Google a whole lot right now, but I can see why they are doing this. If anything, it saves them from a bigger problem later on.

2
0
Silver badge

Re: You do it, if you're so clever.

"I've never been a fan of total automation myself because of situations like this one."

Neither am I, nor will most readers of El Reg. But we are not in the majority of people using these sort of applications. We know, more or less, what's going on and are very wary of going onto the internet without having any control.

The majority of people don't think of their browser as a computing related thing, to them it's just the way they get to Facebook, read e-mails and so on. To them these things are just appliances, switch on and go. After all, you can just turn on the television or oven and it does it all for you, no dialogs asking you for permission to do something.

Given the power and threat of the internet; after all using a washing machine will probably not mean that you have money taken from your bank account, Google should be held to account for such goofs as silent auto-install. But looking at reports Chrome is very popular, I just wonder, given Google's propensity for data skimming, whether it is as popular with the readers of El Reg, for the reason set out above.

1
0
WTF?

Re: You do it, if you're so clever.

You consider Firefox more secure than Chrome? And less likely to have toolbars/addons/crapware added?

0
0
Anonymous Coward

Not really, make it auto-everything then when you have lots of people using it, then you start cleaning up your act once they're on board and using it.

Page 1 in Marketing 101 for Dummies. Get the suckers in the door with the offer of a free toy/sweetie then once they're inside, tell them the sweeties have all gone but there's Sprout Soup that tastes like sweeties if they want some?

0
0
Bronze badge

@Joseph Lord

I think you will find that when Chrome was debuted, Microsoft had been providing automatic updates to IE for a decade or so already.

Not that IE is/was any good browser, but credit where credit is due.

0
2
Anonymous Coward

Re: @Joseph Lord

"Microsoft had been providing automatic updates to IE for a decade or so already."

Really, then how come so many people are still on IE 7...or 8... or 9 etc

They don't seem to have been automatically updated - if they were then wouldn't pretty much everyone be on IE10 by now?

5
1

Re: You do it, if you're so clever.

I did, until I accidentally forgot to untick the 'ask toolbar' during the install of something.

That weaves it's way into your browser in so many insidious ways it's worse than most traditional spyware, I can't believe some reputable apps even associate themselves with it.

0
0
Bronze badge
FAIL

@AC

"Really, then how come so many people are still on IE 7...or 8... or 9 etc"

Either you are trolling or stupid. But seeing that you actually have 3 up votes let's try to answer your question.

- If someone is still using IE7, either these people have turned the updates off, or have declined to update for reasons one cannot fathom unless they are using (internal) sites that don't work with IE8.

- If someone is still using IE8, it's either due to the same reason IE7 is still used, or people are using Win XP.

- If someone is still using IE9, it's because IE10 is only provided for Win8, and it is not yet available for Win7.

Now, you may cry foul on the reasons MS isn't providing the latest IE versions to older Windows versions, but Microsoft is still pushing out security updates for them. The difference with Chrome is that whenever Google publishes a security update for Chrome, they actually push out a whole new version of the browser which is why Chrome is already on v23. I hope you're not one of those people who rate browsers by their version numbers.

4
1

Google has a ton phd holding engineers (the most even iirc) so in theory he can't be more intelligent and I suspect google's problem isn't ignorance, it is negligence and caring more about domination than security.

1
0

Google Is Negligent W/Security

100% agree with toadwarrior, Google could easily make a much more secure product but getting it out and in consumers hands is all they care about.

Privacy and Security it seems Google customers do not give a hoot about.....hence why I am not a google customer!!!

0
1
Meh

Re: @ac 23:11

I tried Chrome for a while, but was very worried about its tendency to 'phone home' more than seemed healthy. So I tried Chromium. Open source, but it didn't to automatic updates. Now I've got instead Comodo Dragon. It does have auto updating, but seems to be more security conscious than the other two, which means it doesn't update as fast. Firefox is still my main browser mostly because I am just very familiar with it. However, sometimes stuff just doesn't render and I have to use Dragon. Of course, IE is still here, but I did upgrade to IE10 for 7 because 9 just simply didn't work at ALL on my machine for some reason.

0
0

Re: @AC

A point here. You can get IE10 for 7. It's an RC or some such, but it IS available for 7 now from MS.

0
0
Silver badge

Will Brook No Competition.

"Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data."

Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".

8
2
Bronze badge
Devil

Re: Will Brook No Competition.

Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".

You're reading my mind, man.

Google didn't need to recently produce a flawed browser to gain a reputation for being a malware vector or a privacy/security threat; they became untrustworthy a long friggin' time ago.

5
2
Silver badge

@Mike Flugennock: Re: Will Brook No Competition.

"'Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as 'illegitimate'".

You're reading my mind, man."

Reading your mind? Now that would be a real invasion of privacy!

1
0
Bronze badge
Happy

Re: @Mike Flugennock: Will Brook No Competition.

I knew you'd say that!

0
0
Bronze badge
Go

I'm not sure about scanning the plug-in store, could be good I guess, but didn't Firefox nix silent installs some time ago? I'm almost surprised Chrome didn't get to this earlier, it seems like common sense considering browser parasites are such a frequent problem less technical users.

Oh well, better late than never.

3
0

They did before chrome even existed if I remember right.

0
0
Silver badge
Stop

Webroot eh?

Ahh if only they would stop spamming me.

0
0
Bronze badge
Meh

Good dog, bad master.

Google allowed this for years for shear marketing. This is something the general Chrome user (which probably isn't you) never understood. Now, apparently after letting the "Fox in the Henhouse", they want to smolder the fox's kettle. It appears Google has enough market share now to stop using the clawed backs of their less informed users as a ladder. Good riddance I guess. It is a shame too, Chrome has a lot of nice features to i, but it still has that persistent Google feature...invasive marketing.

I get the feeling that unless Google can get something exclusive to their browser, they will remain just another player in the fragmented browser market. No matter how much of a market percentage any one player has, they are currently still just another "optional" browser. What ever happened to putting C++ in the browser? Seemed pretty exclusive, even if the idea is worrying.

1
2
Silver badge
WTF?

Re: Good dog, bad master.

Now, apparently after letting the "Fox in the Henhouse", they want to smolder the fox's kettle.

what?

4
1
Meh

Re: Good dog, bad master.

I think it's supposed to be an "analogy".

Except even the most wiliest of foxes can't operate a kettle (in my experience). Although fair play to him for successfully going through the process of buying one and plugging it in.

2
0
Bronze badge

Re: Good dog, bad master.

I let the badger's in to adjust the spin-whizzle once, that was last century and they made real mess of sorting out the washing in the loft!

2
0
Bronze badge
Unhappy

Re: Good dog, bad master.

Oh boy. You're right that doesn't make any sense. Replace "smolder the fox's kettle" with "close the Henhouse". Sorry about that.

Merry Christmas.

0
0

Re: Good dog, bad master.

A fragmented browser market is a good thing. Besides if you write your sites correctly then it doesn't matter what browser people have.

0
0

Google: Repeating the mistakes of Microsoft

Amazing that in the 21st century, the amazing Google is still repeating the broken security philosophy of Microsoft.

Open hooks are disease vectors.

5
0
Anonymous Coward

Chrome.....

Is malware as far as I am concerned. It will be cold day in hell before I install their spyware on any of the systems I use. I think Google are a deeply evil company.

2
6
Silver badge
Meh

Re: Chrome.....

"I think Google are a deeply evil company"

And I think Google are just out to make money.

Nobody presumably thinks that other major OS and browser vendors are not deeply committed to mining the data of their users? MS invested billions in aQuantive (an interesting fuck-up-and-write-off precedent for HP/Autonomy) to do this sort of user data mining and ad-placement, and Apple, well they wouldn't do anything like this, would they?

http://www.kdnuggets.com/jobs/12/12-01-apple-data-mining-scientist-b.html

Arguably you might have a free (or rather private) lunch if you run a selected and well set up Linux install, using selected open source applications, but that's hardly mainstream. My elderly parents couldn't run that sort of set up, and trading a bit of on-line privacy for an otherwise fairly secure browser, a decent search engine, "free" email and so forth is a good deal for them. And it's interesting that MS and Apple want you to pay for your products and pillage your data. How evil is that?

4
0
Silver badge
Unhappy

@Ledswinger

I didn't really want to upvote this - I've started to come to the realisation that Google are as evil as the next corporation, afterall. But what you've said is true, and I haven't stopped using their products, inspite of their evilness.

0
0
Silver badge

What could Google get from being evil that they do not have already?

I bet 80% of the passwords for Google stuff are also used for online banking.

(Chrome is not for me, but that is because I am a Penguin with a huge choice of browsers.)

0
2
Silver badge

Re: Chrome.....

it's interesting that MS and Apple want you to pay for your products and pillage your data.

Beyond the OS itself, which data-pillaging products are you suggesting MS and Apple want you to pay for?

We were talking about the browser, I think.

Safari and IE are both free (personally, you'd have to pay me to use either of them but de gustibus...)

MS's email is free and although it has ads, they're not based on reading your email and thanks to Adblock+ I don't see them anyway. I dunno about Apple's product. MS also has those handy Office Web Apps out there for free (Office 365 is a different proposition) and a search engine.

None of this asks you for money so you'll forgive me if I'm somewhat puzzled by your comment

1
4
Meh

Re: What could Google get from being evil that they do not have already?

Why on earth would you want to run Chrome on Linux? Chromium is what you normally get....

0
0
Facepalm

"Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”

“Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”"

Wow, who'd have thought that would ever happen?

0
0
Unhappy

Maybe I didn't give Vista long enough on my desktop to become familiar enough with it

But I can't see the resemblance between that Chrome message and Vista?

1
0
Bronze badge

Re: Maybe I didn't give Vista long enough on my desktop to become familiar enough with it

I believe the similarity being pointed out was the security prompt that something is going on and requires your attention.

0
0
Bronze badge
Coat

Merry Christmas fellow commentards

"Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders"

What did they have to say about the non-Google items? :>

I like Google but that was too hard to resist.

1
0

Page:

This topic is closed for new posts.