back to article Google to scan Chrome extensions, bans auto-install

Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser. Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions. Security outfit Webroot …

COMMENTS

This topic is closed for new posts.
  1. nuked
    Facepalm

    Shame when your main selling-point turns out to be a massive pile of steaming fail...

    1. Old Handle

      Not sure what you're referring to specifically.

      Did Chrome claim to be immune to nasty plug-ins or something?

      1. Anonymous Coward
        Anonymous Coward

        Yep, Good to be OPEN

    2. LarsG

      After all the 'this is the fastest most secure browser ever'........

      Thankfully I don't use it.

    3. Anonymous Coward
      Anonymous Coward

      How long was I being f***ed by this browser before they found out about this?

      Should have stuck with IE at least they've been honest with their vulnerabilities.

      1. Amorous Cowherder
        Facepalm

        @AC 11:23

        "Should have stuck with IE at least they've been honest with their vulnerabilities."

        LOL! Ha ha ha! ROFL! Ha ha! Oh Jesus, stop it, oh dear Lord, before my sides give way!

      2. fmaxwell
        Unhappy

        "Thankfully I don't use it."

        Sadly for the rest of us, you do use a browser.

    4. hplasm Silver badge
      Windows

      Dur-

      The posts about Surface are that-a-way...

  2. Steve Crook
    Facepalm

    OMG!!!!

    Someone exploits browser plugins loophole? Well, I never saw that coming. It was just so unexpected I can see why the Google overlords haven't put this protection in until now...

  3. Anonymous Coward
    Anonymous Coward

    malware-ridden quagmire

    good description of the internet.

    1. James O'Brien
      Thumb Up

      Re: malware-ridden quagmire

      After a recent marathon of watching Family Guy the only thing that came to mind off that title was Quagmire standing at a toilet talking about it burning when he takes a leak....

  4. Anonymous Coward
    Anonymous Coward

    Talk about closing the stable door after the horse has bolted.

    Google really are the new Microsoft. Releasing poorly secured "powerful" products and then retrospectively having to try to fix the security problem without breaking too much or annoying users (next to impossible).

    Try and design a good secure product from day one please.

    1. Joseph Lord

      @ac 23:11

      I'm really not a Google fan as you'll see if you look at my other comments but I think you are being really unfair. Chrome did advance the state of browser security with automatic updates and not relying on Adobe for Flash fixes. This seems to be reducing a threat that occurs when software has already run as the local user on the PC.

      1. Sandtitz Silver badge

        @Joseph Lord

        I think you will find that when Chrome was debuted, Microsoft had been providing automatic updates to IE for a decade or so already.

        Not that IE is/was any good browser, but credit where credit is due.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Joseph Lord

          "Microsoft had been providing automatic updates to IE for a decade or so already."

          Really, then how come so many people are still on IE 7...or 8... or 9 etc

          They don't seem to have been automatically updated - if they were then wouldn't pretty much everyone be on IE10 by now?

          1. Sandtitz Silver badge
            FAIL

            @AC

            "Really, then how come so many people are still on IE 7...or 8... or 9 etc"

            Either you are trolling or stupid. But seeing that you actually have 3 up votes let's try to answer your question.

            - If someone is still using IE7, either these people have turned the updates off, or have declined to update for reasons one cannot fathom unless they are using (internal) sites that don't work with IE8.

            - If someone is still using IE8, it's either due to the same reason IE7 is still used, or people are using Win XP.

            - If someone is still using IE9, it's because IE10 is only provided for Win8, and it is not yet available for Win7.

            Now, you may cry foul on the reasons MS isn't providing the latest IE versions to older Windows versions, but Microsoft is still pushing out security updates for them. The difference with Chrome is that whenever Google publishes a security update for Chrome, they actually push out a whole new version of the browser which is why Chrome is already on v23. I hope you're not one of those people who rate browsers by their version numbers.

            1. beep54

              Re: @AC

              A point here. You can get IE10 for 7. It's an RC or some such, but it IS available for 7 now from MS.

      2. beep54
        Meh

        Re: @ac 23:11

        I tried Chrome for a while, but was very worried about its tendency to 'phone home' more than seemed healthy. So I tried Chromium. Open source, but it didn't to automatic updates. Now I've got instead Comodo Dragon. It does have auto updating, but seems to be more security conscious than the other two, which means it doesn't update as fast. Firefox is still my main browser mostly because I am just very familiar with it. However, sometimes stuff just doesn't render and I have to use Dragon. Of course, IE is still here, but I did upgrade to IE10 for 7 because 9 just simply didn't work at ALL on my machine for some reason.

    2. dogged
      Trollface

      "Try and design a good secure product from day one please."

      You do it, if you're so clever.

      1. Chika

        You do it, if you're so clever.

        Very true. One problem that always crops up is that when you leave a door open to help somebody, it is only a matter of time before somebody else uses it to steal the crap that lies inside.

        I've never been a fan of total automation myself because of situations like this one. If anything, it's one reason why I have avoided Chrome up until now, though I'm not completely happy with Firefox's setup either. But the feature was there with the best of intentions. Coding is often a thankless task.

        I might not like Google a whole lot right now, but I can see why they are doing this. If anything, it saves them from a bigger problem later on.

        1. nematoad Silver badge

          Re: You do it, if you're so clever.

          "I've never been a fan of total automation myself because of situations like this one."

          Neither am I, nor will most readers of El Reg. But we are not in the majority of people using these sort of applications. We know, more or less, what's going on and are very wary of going onto the internet without having any control.

          The majority of people don't think of their browser as a computing related thing, to them it's just the way they get to Facebook, read e-mails and so on. To them these things are just appliances, switch on and go. After all, you can just turn on the television or oven and it does it all for you, no dialogs asking you for permission to do something.

          Given the power and threat of the internet; after all using a washing machine will probably not mean that you have money taken from your bank account, Google should be held to account for such goofs as silent auto-install. But looking at reports Chrome is very popular, I just wonder, given Google's propensity for data skimming, whether it is as popular with the readers of El Reg, for the reason set out above.

        2. Russ Tarbox
          WTF?

          Re: You do it, if you're so clever.

          You consider Firefox more secure than Chrome? And less likely to have toolbars/addons/crapware added?

          1. RetroTom

            Re: You do it, if you're so clever.

            I did, until I accidentally forgot to untick the 'ask toolbar' during the install of something.

            That weaves it's way into your browser in so many insidious ways it's worse than most traditional spyware, I can't believe some reputable apps even associate themselves with it.

      2. toadwarrior

        Google has a ton phd holding engineers (the most even iirc) so in theory he can't be more intelligent and I suspect google's problem isn't ignorance, it is negligence and caring more about domination than security.

        1. The_Regulator

          Google Is Negligent W/Security

          100% agree with toadwarrior, Google could easily make a much more secure product but getting it out and in consumers hands is all they care about.

          Privacy and Security it seems Google customers do not give a hoot about.....hence why I am not a google customer!!!

    3. Anonymous Coward
      Anonymous Coward

      Not really, make it auto-everything then when you have lots of people using it, then you start cleaning up your act once they're on board and using it.

      Page 1 in Marketing 101 for Dummies. Get the suckers in the door with the offer of a free toy/sweetie then once they're inside, tell them the sweeties have all gone but there's Sprout Soup that tastes like sweeties if they want some?

  5. Turtle

    Will Brook No Competition.

    "Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data."

    Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".

    1. Mike Flugennock
      Devil

      Re: Will Brook No Competition.

      Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".

      You're reading my mind, man.

      Google didn't need to recently produce a flawed browser to gain a reputation for being a malware vector or a privacy/security threat; they became untrustworthy a long friggin' time ago.

      1. Turtle

        @Mike Flugennock: Re: Will Brook No Competition.

        "'Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as 'illegitimate'".

        You're reading my mind, man."

        Reading your mind? Now that would be a real invasion of privacy!

        1. Chika
          Happy

          Re: @Mike Flugennock: Will Brook No Competition.

          I knew you'd say that!

  6. Old Handle
    Go

    I'm not sure about scanning the plug-in store, could be good I guess, but didn't Firefox nix silent installs some time ago? I'm almost surprised Chrome didn't get to this earlier, it seems like common sense considering browser parasites are such a frequent problem less technical users.

    Oh well, better late than never.

    1. toadwarrior

      They did before chrome even existed if I remember right.

  7. Winkypop Silver badge
    Stop

    Webroot eh?

    Ahh if only they would stop spamming me.

  8. Anonymous Coward
    Meh

    Good dog, bad master.

    Google allowed this for years for shear marketing. This is something the general Chrome user (which probably isn't you) never understood. Now, apparently after letting the "Fox in the Henhouse", they want to smolder the fox's kettle. It appears Google has enough market share now to stop using the clawed backs of their less informed users as a ladder. Good riddance I guess. It is a shame too, Chrome has a lot of nice features to i, but it still has that persistent Google feature...invasive marketing.

    I get the feeling that unless Google can get something exclusive to their browser, they will remain just another player in the fragmented browser market. No matter how much of a market percentage any one player has, they are currently still just another "optional" browser. What ever happened to putting C++ in the browser? Seemed pretty exclusive, even if the idea is worrying.

    1. dogged
      WTF?

      Re: Good dog, bad master.

      Now, apparently after letting the "Fox in the Henhouse", they want to smolder the fox's kettle.

      what?

      1. Robin
        Meh

        Re: Good dog, bad master.

        I think it's supposed to be an "analogy".

        Except even the most wiliest of foxes can't operate a kettle (in my experience). Although fair play to him for successfully going through the process of buying one and plugging it in.

      2. Amorous Cowherder

        Re: Good dog, bad master.

        I let the badger's in to adjust the spin-whizzle once, that was last century and they made real mess of sorting out the washing in the loft!

      3. Anonymous Coward
        Unhappy

        Re: Good dog, bad master.

        Oh boy. You're right that doesn't make any sense. Replace "smolder the fox's kettle" with "close the Henhouse". Sorry about that.

        Merry Christmas.

    2. toadwarrior

      Re: Good dog, bad master.

      A fragmented browser market is a good thing. Besides if you write your sites correctly then it doesn't matter what browser people have.

  9. William Donelson

    Google: Repeating the mistakes of Microsoft

    Amazing that in the 21st century, the amazing Google is still repeating the broken security philosophy of Microsoft.

    Open hooks are disease vectors.

  10. Anonymous Coward
    Anonymous Coward

    Chrome.....

    Is malware as far as I am concerned. It will be cold day in hell before I install their spyware on any of the systems I use. I think Google are a deeply evil company.

    1. Ledswinger Silver badge
      Meh

      Re: Chrome.....

      "I think Google are a deeply evil company"

      And I think Google are just out to make money.

      Nobody presumably thinks that other major OS and browser vendors are not deeply committed to mining the data of their users? MS invested billions in aQuantive (an interesting fuck-up-and-write-off precedent for HP/Autonomy) to do this sort of user data mining and ad-placement, and Apple, well they wouldn't do anything like this, would they?

      http://www.kdnuggets.com/jobs/12/12-01-apple-data-mining-scientist-b.html

      Arguably you might have a free (or rather private) lunch if you run a selected and well set up Linux install, using selected open source applications, but that's hardly mainstream. My elderly parents couldn't run that sort of set up, and trading a bit of on-line privacy for an otherwise fairly secure browser, a decent search engine, "free" email and so forth is a good deal for them. And it's interesting that MS and Apple want you to pay for your products and pillage your data. How evil is that?

      1. Lamont Cranston
        Unhappy

        @Ledswinger

        I didn't really want to upvote this - I've started to come to the realisation that Google are as evil as the next corporation, afterall. But what you've said is true, and I haven't stopped using their products, inspite of their evilness.

      2. dogged

        Re: Chrome.....

        it's interesting that MS and Apple want you to pay for your products and pillage your data.

        Beyond the OS itself, which data-pillaging products are you suggesting MS and Apple want you to pay for?

        We were talking about the browser, I think.

        Safari and IE are both free (personally, you'd have to pay me to use either of them but de gustibus...)

        MS's email is free and although it has ads, they're not based on reading your email and thanks to Adblock+ I don't see them anyway. I dunno about Apple's product. MS also has those handy Office Web Apps out there for free (Office 365 is a different proposition) and a search engine.

        None of this asks you for money so you'll forgive me if I'm somewhat puzzled by your comment

    2. Flocke Kroes Silver badge

      What could Google get from being evil that they do not have already?

      I bet 80% of the passwords for Google stuff are also used for online banking.

      (Chrome is not for me, but that is because I am a Penguin with a huge choice of browsers.)

      1. beep54
        Meh

        Re: What could Google get from being evil that they do not have already?

        Why on earth would you want to run Chrome on Linux? Chromium is what you normally get....

  11. MrWibble
    Facepalm

    "Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”

    “Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”"

    Wow, who'd have thought that would ever happen?

  12. Russ Tarbox
    Unhappy

    Maybe I didn't give Vista long enough on my desktop to become familiar enough with it

    But I can't see the resemblance between that Chrome message and Vista?

    1. PaulR79

      Re: Maybe I didn't give Vista long enough on my desktop to become familiar enough with it

      I believe the similarity being pointed out was the security prompt that something is going on and requires your attention.

  13. PaulR79
    Coat

    Merry Christmas fellow commentards

    "Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders"

    What did they have to say about the non-Google items? :>

    I like Google but that was too hard to resist.

  14. pigor

    Better late than never

    At least they are doing something to close (decrease) a huge security hole in their browser.

    "Decrease" is a better word because in every "appstore" there will be always a good number of malicious apps, and reviewers whenever they exists cannot catch them all.

    Unless the developers give away their source code for full inspection, it will be never possible to prevent malicious apps 100%.

    However I cannot understand why they don't implement a "revoke" mechanism to forcibly uninstall malicious apps/extensions from the users' system.

    Other systems have this feature (even if never used) and I don't understand why it isn't implemented for extensions in browsers as well as on iOS and Android.

  15. RonWheeler

    Question...

    Will my extension installation choice i.e. the Y/N status) follow me across the 3 computers i use that have Chrome installed and sync enabled?.

    Annoying but inevitable I suppose. The irritating extension autoupdate cycle on Firefox was one of the reasons I moved to Chrome, naive of me as it might be.

  16. Anonymous Coward
    Anonymous Coward

    Google Chrome and Toolbar must be the most prolific spamware out there (apart maybe from Ask). I have it trying to weasel itself onto one of my computers at least once a week as a payload of something else (from google earf to a simple editor).

    Most of the time it tries to install itself in the 'default install' of whatever you're trying to access an you have to do a custom install to get shot of it.

    I don't care how good it is, it annoys me no end and I will not use it !

    1. DryBones

      I'm not sure about Google Toolbar, I don't use any of those as they take up screen space that I'd rather use for what the hell I'm trying to read. Chrome's just fine, though. I imagine the real determining factor is how cleanly easily the stuff uninstalls.

      I will agree that they really ought to see about dropping some of that bundling incentive stuff. They're not helping by using a similar MO to crapware.

  17. Aoyagi Aichou

    omg onoez

    Malware driven "apps" in my spyware driven browser? Unforgivable. Gruesome. Dreadful!

  18. richard 7

    could they also please

    Stop bundling chrome with every bloody thing. At least once a week I have to remove it from a customer's machine, then spend five mins removing all the carp it left behind and then finally sorting out all the file associations chrome broke on its way out the door.

  19. toadwarrior
    Thumb Down

    I left chrome ages ago. It's too restrictive like the dumb home page tabs that enforce a maximum for no good reason. It's not that stable. I've had more "sad face" tabs in chrome than any other browser and it handles broken HTML in a dumb way that can eat up loads of memory. That and any browser security test puts it near IE for vulnerabilities. All this on top of it spying on me. Screw that, I'll stick to Firefox and let chrome for the hipsters who are happy to recreate the IE6 problems all over again in a new browser.

  20. Fatman

    RE: as responsible enhancements that show, yet again, Google is doing the world a favour.

    Yes, Google, please do the world a favor, and eliminate Microsoft from the IT industry.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019