Google to scan Chrome extensions, bans auto-install Google has taken two steps to prevent its Chrome browser becoming an attack vector for malware that runs as extensions to the browser. Like many other browsers, Chrome allows users to install “extensions”, apps that add functionality. Google even runs the “Chrome Web Store” to promote extensions. Security outfit Webroot …
Talk about closing the stable door after the horse has bolted.
Google really are the new Microsoft. Releasing poorly secured "powerful" products and then retrospectively having to try to fix the security problem without breaking too much or annoying users (next to impossible).
Try and design a good secure product from day one please.
I'm really not a Google fan as you'll see if you look at my other comments but I think you are being really unfair. Chrome did advance the state of browser security with automatic updates and not relying on Adobe for Flash fixes. This seems to be reducing a threat that occurs when software has already run as the local user on the PC.
"Really, then how come so many people are still on IE 7...or 8... or 9 etc"
Either you are trolling or stupid. But seeing that you actually have 3 up votes let's try to answer your question.
- If someone is still using IE7, either these people have turned the updates off, or have declined to update for reasons one cannot fathom unless they are using (internal) sites that don't work with IE8.
- If someone is still using IE8, it's either due to the same reason IE7 is still used, or people are using Win XP.
- If someone is still using IE9, it's because IE10 is only provided for Win8, and it is not yet available for Win7.
Now, you may cry foul on the reasons MS isn't providing the latest IE versions to older Windows versions, but Microsoft is still pushing out security updates for them. The difference with Chrome is that whenever Google publishes a security update for Chrome, they actually push out a whole new version of the browser which is why Chrome is already on v23. I hope you're not one of those people who rate browsers by their version numbers.
I tried Chrome for a while, but was very worried about its tendency to 'phone home' more than seemed healthy. So I tried Chromium. Open source, but it didn't to automatic updates. Now I've got instead Comodo Dragon. It does have auto updating, but seems to be more security conscious than the other two, which means it doesn't update as fast. Firefox is still my main browser mostly because I am just very familiar with it. However, sometimes stuff just doesn't render and I have to use Dragon. Of course, IE is still here, but I did upgrade to IE10 for 7 because 9 just simply didn't work at ALL on my machine for some reason.
Very true. One problem that always crops up is that when you leave a door open to help somebody, it is only a matter of time before somebody else uses it to steal the crap that lies inside.
I've never been a fan of total automation myself because of situations like this one. If anything, it's one reason why I have avoided Chrome up until now, though I'm not completely happy with Firefox's setup either. But the feature was there with the best of intentions. Coding is often a thankless task.
I might not like Google a whole lot right now, but I can see why they are doing this. If anything, it saves them from a bigger problem later on.
"I've never been a fan of total automation myself because of situations like this one."
Neither am I, nor will most readers of El Reg. But we are not in the majority of people using these sort of applications. We know, more or less, what's going on and are very wary of going onto the internet without having any control.
The majority of people don't think of their browser as a computing related thing, to them it's just the way they get to Facebook, read e-mails and so on. To them these things are just appliances, switch on and go. After all, you can just turn on the television or oven and it does it all for you, no dialogs asking you for permission to do something.
Given the power and threat of the internet; after all using a washing machine will probably not mean that you have money taken from your bank account, Google should be held to account for such goofs as silent auto-install. But looking at reports Chrome is very popular, I just wonder, given Google's propensity for data skimming, whether it is as popular with the readers of El Reg, for the reason set out above.
I did, until I accidentally forgot to untick the 'ask toolbar' during the install of something.
That weaves it's way into your browser in so many insidious ways it's worse than most traditional spyware, I can't believe some reputable apps even associate themselves with it.
Not really, make it auto-everything then when you have lots of people using it, then you start cleaning up your act once they're on board and using it.
Page 1 in Marketing 101 for Dummies. Get the suckers in the door with the offer of a free toy/sweetie then once they're inside, tell them the sweeties have all gone but there's Sprout Soup that tastes like sweeties if they want some?
"Security outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all their data."
Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".
Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as "illegitimate".
You're reading my mind, man.
Google didn't need to recently produce a flawed browser to gain a reputation for being a malware vector or a privacy/security threat; they became untrustworthy a long friggin' time ago.
"'Evidently, data-sucking invasions of privacy fall within the purview, and are the right, of Google solely; data-sucking invasions of privacy, when done by any other party, can, apparently, only be described as 'illegitimate'".
You're reading my mind, man."
Reading your mind? Now that would be a real invasion of privacy!
I'm not sure about scanning the plug-in store, could be good I guess, but didn't Firefox nix silent installs some time ago? I'm almost surprised Chrome didn't get to this earlier, it seems like common sense considering browser parasites are such a frequent problem less technical users.
Oh well, better late than never.
Google allowed this for years for shear marketing. This is something the general Chrome user (which probably isn't you) never understood. Now, apparently after letting the "Fox in the Henhouse", they want to smolder the fox's kettle. It appears Google has enough market share now to stop using the clawed backs of their less informed users as a ladder. Good riddance I guess. It is a shame too, Chrome has a lot of nice features to i, but it still has that persistent Google feature...invasive marketing.
I get the feeling that unless Google can get something exclusive to their browser, they will remain just another player in the fragmented browser market. No matter how much of a market percentage any one player has, they are currently still just another "optional" browser. What ever happened to putting C++ in the browser? Seemed pretty exclusive, even if the idea is worrying.
"I think Google are a deeply evil company"
And I think Google are just out to make money.
Nobody presumably thinks that other major OS and browser vendors are not deeply committed to mining the data of their users? MS invested billions in aQuantive (an interesting fuck-up-and-write-off precedent for HP/Autonomy) to do this sort of user data mining and ad-placement, and Apple, well they wouldn't do anything like this, would they?
http://www.kdnuggets.com/jobs/12/12-01-apple-data-mining-scientist-b.html
Arguably you might have a free (or rather private) lunch if you run a selected and well set up Linux install, using selected open source applications, but that's hardly mainstream. My elderly parents couldn't run that sort of set up, and trading a bit of on-line privacy for an otherwise fairly secure browser, a decent search engine, "free" email and so forth is a good deal for them. And it's interesting that MS and Apple want you to pay for your products and pillage your data. How evil is that?
it's interesting that MS and Apple want you to pay for your products and pillage your data.
Beyond the OS itself, which data-pillaging products are you suggesting MS and Apple want you to pay for?
We were talking about the browser, I think.
Safari and IE are both free (personally, you'd have to pay me to use either of them but de gustibus...)
MS's email is free and although it has ads, they're not based on reading your email and thanks to Adblock+ I don't see them anyway. I dunno about Apple's product. MS also has those handy Office Web Apps out there for free (Office 365 is a different proposition) and a search engine.
None of this asks you for money so you'll forgive me if I'm somewhat puzzled by your comment
"Chrome, when running on Windows, can is designed to allow unseen installs “to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application.”
“Unfortunately,” Google now says in a blog post, “this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users.”"
Wow, who'd have thought that would ever happen?
At least they are doing something to close (decrease) a huge security hole in their browser.
"Decrease" is a better word because in every "appstore" there will be always a good number of malicious apps, and reviewers whenever they exists cannot catch them all.
Unless the developers give away their source code for full inspection, it will be never possible to prevent malicious apps 100%.
However I cannot understand why they don't implement a "revoke" mechanism to forcibly uninstall malicious apps/extensions from the users' system.
Other systems have this feature (even if never used) and I don't understand why it isn't implemented for extensions in browsers as well as on iOS and Android.
Will my extension installation choice i.e. the Y/N status) follow me across the 3 computers i use that have Chrome installed and sync enabled?.
Annoying but inevitable I suppose. The irritating extension autoupdate cycle on Firefox was one of the reasons I moved to Chrome, naive of me as it might be.
Google Chrome and Toolbar must be the most prolific spamware out there (apart maybe from Ask). I have it trying to weasel itself onto one of my computers at least once a week as a payload of something else (from google earf to a simple editor).
Most of the time it tries to install itself in the 'default install' of whatever you're trying to access an you have to do a custom install to get shot of it.
I don't care how good it is, it annoys me no end and I will not use it !
I'm not sure about Google Toolbar, I don't use any of those as they take up screen space that I'd rather use for what the hell I'm trying to read. Chrome's just fine, though. I imagine the real determining factor is how cleanly easily the stuff uninstalls.
I will agree that they really ought to see about dropping some of that bundling incentive stuff. They're not helping by using a similar MO to crapware.
I left chrome ages ago. It's too restrictive like the dumb home page tabs that enforce a maximum for no good reason. It's not that stable. I've had more "sad face" tabs in chrome than any other browser and it handles broken HTML in a dumb way that can eat up loads of memory. That and any browser security test puts it near IE for vulnerabilities. All this on top of it spying on me. Screw that, I'll stick to Firefox and let chrome for the hipsters who are happy to recreate the IE6 problems all over again in a new browser.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
