Feature creep?
Or layered protection?
Maybe a little of both.
Since I don't use windows it doesn't really impact me, but I will probably keep recommending for non-technical people to use chrome.
I hate cleaning up after virus infections.
In its ongoing effort to improve browser security, school Microsoft on security, and retain its search audience, Google is today rolling out several Chrome for Windows fortifications. The search biz has modded Chrome for Windows to detect when extensions switch people's Chrome settings, such as the default search engine, …
Why would Chrome have the privileges required to remove software?
Doesn't that require "root" (or whatever it's called on Windows)?
Do people run Chrome with root privileges?
Or by "software" do they mean just user-installed Chrome plugins?
[Seriously, I don't use Windows and am really asking this.]
"Our engine scans for and cleans potentially harmful applications, specifically the types that negatively impact or target the Chrome browsing experience,"
One, most users default to operating windows as administrator (root). Second, I am guessing they are going after scripts and other memory resident stuff along with user settings.
Many are surprised as to how much a good(?) piece of malware can do to a Windows box.The fact that someone is making cash by selling web camera covers should speak volumes.
It's not Chrome that is at fault as it does not ask for root privileges on Linux. Bloat has long been known for its poor security design and the necessity to run escalated privileges for idiotic reasons. Plus many installs of Bloat did force one to make and use a user account. So many users are using the admin account, whether intentional or not, which leaves the box in the worst possible security posture.
There's no reason Chrome, or any other web browser, would run as admin on Windows.
And - surprise, surprise - it doesn't.
Things like installers/updaters will obviously need admin access if you install it in a non-user-writable directory, however.
If comparing the security and what is/isn't done with admin privileges on a system, you shouldn't forget that on *ix any account that regularly elevates to root (su/sudo/etc) is essentially equivalent to a root account. An attacker can just have the shell run his password logger instead. Or pop up a dialog box identical to the real one if it's a graphical application asking for it. Or keylog the X server with an invisible window. Or use one of the other 30 year old tricks.
su/sudo is there to stop accidents, not attacks. (And provide accountability in some settings)
None of this is possible on Windows, by the way, since it actually has a secure mechanism for elevation. Provided that you run with an actual non-admin account and not vanilla UAC - the latter offers about as much of a security barrier as su/sudo (minimal to none).
I think the whole point is to install applications in Program Files to protect the rest of the computer. Installing an application in the user's profile is asking for trouble.
For some, UAC is just a reminder that something wants to install or update. ie Why is this box popping up if I didn't initiate it.
Yup. Which will need admin for the actual installation and subsequent updating, but not running it.
Regarding UAC in Admin Approval Mode ("click yes to allow changes") - it's pretty easy to bypass in a silent way (or used to be, atleast) and not considered a real security boundary, unless the application has explicitly dropped the administrator token (web browser sandboxes and such).
The main purpose is actually (if unofficially) to force/shame software makers into minimizing the operations that need admin privileges, essentially by annoying the user each time.
Which has actually worked out really well - running a Windows system as non-admin (with password/smartcard required for elevation) today is painless. Shame this setup isn't the default yet.
But even when logged in as an admin you get asked to elevate privileges every time you want to add or remove software. It doesn't just allow anything to happen without a prompt. A bit like the prompt to allow SUDO on Linux.
I think this relates to unwanted software running in the browser not in the OS anyway. Might be wrong. Its early - still on my first coffee.
>A bit like the prompt to allow SUDO on Linux.
beg to differ. UAC's not at all like sudo on mac or linux.
first, Windows prompts for elevation waaay more often. open ODBC including user sources - there you are: UAC. not to write, mind you, just to view. see "crying wolf".
second, it doesn't actually ask you for anything like your password. so, if you're in a hurry and not paying attention and you react too quickly by pressing "Enter" => :-(
MS is the king of pseudo-sec, like still prompting you to allow running macros on-your-own-effing Office docs, authored by you, in your own directories. yet,hardly a month goes by wo some Office sec blunders.
or Powershell scripting permissions, where you can't apparently trust the code you_ wrote yourself_ by default. unless you - alarm bells - loosen up.
sorry, while I am generally critical of MS, I can see some good points to some of what they do. Their nagware approach to sec, forcing you the user to constantly look after what should be open and shut system boundaries, is one of their most annoying traits however.
Since Windows 7 first arrived, I have been running as normal user on all my Windows clients. Elevation requires actually entering a password, not clicking 'Yes'.
This is the proper setup by the way (shame it's not the default) - together with UIPI it actually means there's a hard boundary between normal user and admin privileges (unlike UAC in Admin Approval 'click yes' mode, or su/sudo).
I can't even recall last time I got the elevation prompt for something that shouldn't actually require admin. And I run lots of weird third-party software.
I skipped Vista though, which was probably a wise decision considering how annoying it seems to have been...
May I suggest filing a bug report with the relevant party if you actually encounter something requiring admin when it shouldn't? And/or checking your local configuration since you might be the one who screwed up.
But even when logged in as an admin you get asked to elevate privileges every time you want to add or remove software. It doesn't just allow anything to happen without a prompt. A bit like the prompt to allow SUDO on Linux.
Not quite.. At least when I last used Windows, the prompt would come up with a simple yes/no option. Vista was bad as it did it a lot. And users just clicked on "make the thing go away", most commonly "yes".
It's also possible to turn it off easily.
I've also seen "Doing this requires administrator privileges. Click here to get admin privileges" or something like that.
sudo, however, requires a password - at least for the first time in a given shell for a few minutes (maybe 5 minutes, not sure how long TBH). While there are ways to turn it off, I suspect very few people would.
HTH
@big_D The way I read it, it doesn't scan Windows per se, it is just scanning the Chrome environment and removing dodgy plug-ins.
Given one of the main infection vectors is the browser either visiting malicious websites or accidentally downloading compromised scripts, I would assume that Google with Chrome are doing similar to what Yandex are doing with the Agnitum security suite, namely improving the security within the browser by incorporating features that, currently are provided by freestanding third-party security suite/products such as Kaspersky and MalwareBytes Anti Exploit, or browser plug-ins/extensions such as NoScript, uMatrix.
What is different (currently) is that Yandex took out Agnitum totally, so they now only produce the security extensions for Yandex products - so bye bye Outpost Firewall and Security Suite. Whereas Google have jus ensured that ESET's browser security technologies are tightly integrated into Chrome.
I am trying to think of an event where a fully patched Windows 7/8/10 machine, running AV was successfully attacked - even with the user logging in as local admin.
Do both parties constantly update their software with security patches? Yes. In fact the last two years has seen Apple releasing the most number of security patches.
I wouldn't read too much into this.
Microsoft's security is much better than it was 15 years ago, but a decent security researcher can still crack one fairly easily even if it's up to date and running an antivirus.
Though the maker of Android passing comment on someone else's OS security is a bit rich.
Would compare desktop to desktop. ChromeOS has NOT been hacked as far as I am aware. If we look at Pawned 2017 this year Edge was basically hacked at wil. Penetrated over and over again. Only browser unhackable in the time allotted was Chrome.
"Microsoft Edge: Most Hacked Browser At Pwn2Own 2017"
http://www.tomshardware.com/news/pwn2own-2017-microsoft-edge-hacked,33940.html
ChromeOS is based on Linux. Linux boxes are hacked regularly. I assume ChromeOS is somewhat hardened/stripped down, but still. Any lack of reports of ChromeOS getting compromised is because of its small market share and lack of juicy targets running it, not some fundamental non-hackability.
If that was true, then all "decent security researchers" (with morals loose enough to sell the work instead of reporting it) would get several hundred grand richer regularly, since that's the selling price for a complete browser + kernel 0day exploit chain for Windows 10.
It's not unbreakable by any means (no general purpose OS or complex application is), but the price tag should give you an idea of the level of effort involved and how rare that type of discoveries are.
So a company that scans everything you search for and view on the web and emails that go through their systems then uses that information to target advertising at you on some kind of weird stalker like way and is responsible for an OS that has the least effective updating mechanism (relies on third parties to validate and distribute, if they can be bothered), and circumvented the security of other software manufactures in order to get their software on to those systems (Chrome and Google earth install in to the users profile rather than program files if you don't have admin rights) and allows any one to write a program to run in that browser, is trying to use FUD to destroy another company tell them they are not doing security right.
People in glass houses throwing stones.
Personally I find Chrome an unpleasant experience and Google a far cry from their do no evil roots. As a company they are worse than Microsoft was at its worst.
People in glass houses throwing stones.
Out of both companies, the resident of the glass house is most certainly the user. Whether nosey strangers can just peer in or actually poke at you with a sharp stick, the 'benefactor' of the domicile (whether paid or not) can most certainly check out your nethers....
apple, Facebook, Microsoft, Yahoo
Well, obviously, although Microsoft and Google were singled out in the comment.
Who uses 'Yahoo'? Aren't they dead yet?
As to disconnecting, with gov offices all closing and going online only (and poorly), that option is fast disappearing.
"Microsoft Edge gets pwned, Google Chrome is “unhackable”"
https://mybroadband.co.za/news/security/203804-microsoft-edge-gets-pwned-google-chrome-is-unhackable.html
Would not touch Edge until MS fixes. Use Chrome or really anything and be far better off.
Would not touch Edge until MS fixes.
Please understand that Edge was developed in cooperation with Adobe ... so every patch introduces new remote privilege escalations by the dozen.
Adobe have managed the incredible with Flash .... more vulnerabilities than lines of code!
The difference is that I have trust in that Microsoft doesn't abuse the information they have about me. I don't have that trust in Google.
I am fully aware that Microsoft know pretty much everything about me. I sign into my computer with a Microsoft Account, everything gets sync to OneDrive etc etc etc, and I have no problem with that. I trust Microsoft with my data.
I don't have the same trust in Google and i don't want them near my files and my personal information.
Why do you feel you can trust Microsoft with that information? The old pre Windows 10 Microsoft, sure, they were only interested in selling you stuff not selling you. Now they're interested in selling you too, just like Google.
That said, if forced to choose I would much rather give my personal information to Microsoft than to Google. One, because Google already has a massive storehouse of data they can cross-correlate it to. Two, because Microsoft's general bumbling and incompetence means they do evil far less efficiently than Google does these days.
I have sync'ed my digital life with Microsoft servers since ... well forever almost. Since my first hotmail account 15 - 20 years ago, and I have never felt that info has been used to other activities than what I expected and I trust them in that whatever I tell them stays between me and them.
I still trust them to do that but are aware that there is a pre and post Windows 10 Microsoft as you call it. I have limit Windows 10 in what it transmit to Microsoft. I run with lowest (basic) diagnostic settings, have disabled "the keylogger" (the setting that transmit what i type and say to Microsoft) because that it too creepy for me and adjusted a few other privacy settings.
Yes, i trust that I have an agreement with Microsoft in regards to respecting my privacy and that they will not disclose my information with third parties and / or departments inside Microsoft, that have no relevance to me.
Google, being an advertisement agency, can never gain that trust simply because their business model is what it is.
@ ToFab You trust M$ yet in their own T&C they say if they find anything on your machine they don't like they'll report it to the authorities. And do you really believe they won't sell the stuff they take from your computer? How else are they going to make money from slurping? You win the prize of the most gullible person I've seen on this site.
I am not that naive King Jack that I don't think they wouldn't hesitate for a second to hand over my details to law enforcement agencies that present to them the correct, legal paper work. That is not a secret that they all do that. Microsoft, Google, Facebook, all of them. There are no secret online. We all know about Snowden.
My world if fairly innocent in this regard. I doubt my data contain information that would be of interest to anyone besides myself .
The trust I have in Microsoft is that they will only hand over my data if presented with the required legal paper and if not, they will fight for my privacy, just like they currently are fighting the US government in the supreme court case where the data is placed outside US. I am fully aware that the US government could just had filed the legal paper work in Ireland instead of the US and they would have had that data they now are court battling about long time ago, because Microsoft would have handed it over ... like they have done thousands of times before.
But this is not me. i am not a drug dealer that has secret information I have to hide from law enforcement agencies. If I was I would stay far away from anything closed source (and stay away from computers in the first place, because computers cannot be trusted), but I am not. I am a regular person with nothing to hide, but the content of my emails, my document, my pictures, my stuff is no body's business what they contain.
I trust Microsoft to try to protect that information from leaking as best as they can and i have choosen Microsoft because it is not part of their business plan to profit from the content of my data.
I like the convenience that comes with storing my data on a cloud service and my options are Microsoft, Google or Apple and out of those three I have most faith that my personal information stay private if I place them on Microsoft Servers.
Then its up to me to live a life that doesn't cause the police to file the paper work and get access to it all.
@ToFab
You do not understand the issue, at all.
Law enforcement agencies like FBI requesting access to your data need a court order.
NSA can access any data anywhere, no questions asked.
Microsoft, like Google or Facebook is harvesting data. Google and Facebook use it for advertising, MS does not have an advertising business, so to speak of, anyway, so they must be monetizing that data in other ways ...
I am a regular person with nothing to hide, but the content of my emails, my document, my pictures, my stuff is no body's business what they contain.
Imagine you live in the US and are not a Trump supporter, that you would need to hide from the Trump administration.
I do not exactly know what MS siphons, I do know they siphon all your searches, apps/programs you open (with file names) and will siphon my emails, my document, my pictures (as you put it) should they be opened while a Microsoft product crashes, like, outlook, word, "photos" (the app) ....
You could put them on OneDrive, then you can be 100% sure they will be looked at, especially photos and videos ... they have entire hordes of proles going through OneDrive data (including corporate accounts) to look for illicit content. Oh, and, before you ask, the NSA is more than happy to provide US companies with intelligence on their foreign competitors ... GCHQ is more than happy to provide NSA with data on European companies (Yes, including companies or companies with offices, factories etc in Britain) , in a one way deal, of course ...
I would not trust Microsoft with anything, ever. I have seen people and companies been bitten left right and center over the past three decades ...
I doubt my data contain information that would be of interest to anyone besides myself .
The only way I could know if your data is not of interest to me is to go through ALL of it to check for anything that might be of interest.
And where you've signed an agreement giving the other party rights to use as they wish, including to make money from and make derived works from in perpetuity (Maybe not MS, but have you checked Hotmail's T&Cs closely? LinkedIn, Google, Flickr and others DO have that in their - by placing stuff on their site you give them the right to use your work, sell your work etc forever)
Many years ago the author of one of the popular messaging programs for Fidonet released the source code for his software. The next day he changed his mind, but it was to late. Once the private data is released it is gone from your control. Even scarier, MS says they'll trawl your files for stuff that is of interest to LEO (at least anything on OneDrive) - if you're starting to take notes for a novel perhaps about terrorism or maybe some ideas on a murder mystery or any number of other things, what if they take it out of context? Or perhaps they just go over it to build a psychological profile, which of course will be far from accurate as those things usually are - what if in their psychologists opinion you're a dangerous person because they're only handed documents you did as a homework assignment for a writing course?
Keep your stuff private, only let out the barest minimum. Once you have lost control of private information it is lost forever. As the old saying goes, never put on the internet what you don't want shouted from the rooftops.
In the 90s and early 00s, Microsoft was hammered for their browser providing extra functionality for their own services. But I don't see what Google's doing now as any different. Their browser is a portal to their services, and has lots of functionality built in to support G suite etc. If you use G suite with Firefox, for example, you get a different experience.
I try to restrict my Chrome use to my G suite usage. I am a huge fan of Firefox, and have become aware of how much better Edge is on a W10 laptop - resource usage is hugely less than for Chrome.
No, they will be using Chrome to scan every file you upload and download from and to your computer, and will grab copies of anything that interests them for "analysis".
Google wants to be your everything, not just online, but on your whole computer system, and, of course, on your phone, and even listening to your family room conversations with Google Home. 'Just keep on using Google products exclusively and see where it gets ya.
Posted from FF
Hmmm, so Google is adding something to Chrome that removes "unwanted software" - something that "scans for and cleans potentially harmful applications, specifically the types that negatively impact or target the Chrome browsing experience"
"Unwanted" - by whom, exactly? I know I don't want malware on my PC, but this doesn't specifically state "malware". I don't want software that enables Google (or anyone else) to track me on my PC - will it remove that? I somehow doubt it...
This is typical Google - the front is "we're helping! we're making things better for you!" - but it reality, they are merely tightening their grip over controlling what we see. Not to long ago, we had Google's adblocker, and before that blocking for sites that prompt app installation...
This creeping censorship needs to be stopped, right now. And the only way this will be achieved is to completely separate the various concerns that Google, sorry, Alphabet currently control - just as Microsoft before them were forced to display alternatives to Internet Explorer, so Google search should have to clearly label their own products in search results and present alternatives with the same prominence on the results page - no more "Upgrade your browsing experience!" calls to action at the head of the results page (probably the primary reason why Chrome now leads the browser market share).
Microsoft's control of the desktop is probably the greatest obstacle Google have right now, as when using a PC, the vast majority of people still have to go through a Microsoft product to use a Google one, hence Google's ongoing aggressive efforts to discredit Microsoft, (as opposed to getting their own house in order) - personally, I would not be surprised if the 90-day limit had its roots in anti-competition laws, and Google would be all too willing to disclose earlier if they thought they could get away with it.
They must be laughing their arses off at all the commentards in whose grudges are so deep-rooted that they cannot see what is going on right under their noses...
This is a great enhancement to Chrome and a proactive move by Google to combat the high levels of ad-fraud / non-human traffic on today's publisher sites. People who have gotten their Chrome browser hijacked by a malicious ad-based extension will be helped by this new feature. We need other players in the industry to step up as well to reduce the spread of adware/malware. Great job Google.
At long last. I've been suggesting these things to them for years to deal with dns unlocker attacks. They could add a user controlled noscript feature, with auto blacklist, and suggested whitelist.
But, what about android, chrome code using Chrome to spy on people (same code used to force dns unlocker over the top of pages from sites like tomahardware, Whirlpool.net, and background hidden processes hiding out like system processes (which it doesn't really even show you the foreground ones now).
Android chrome, and android low local serviceability, has been the weak link. Android chrome, like many android browsers, and android productivity and utility apps, offer you little control or features, incase something goes wrong, or to organise, do more business like, and backup user fata locally. If somebody comes along with their phone to me and asks if I can help them easily, what can I do but burn and reset or root and go through a lot of effort.