Skip to content

Chrome

Google Chrome vows to carpet bomb meddling Windows antivirus tools

Quote

Browser will block third-party software from mucking around with pages next year.

By mid-2018 Google Chrome will no longer allow outside applications – cough, cough, antivirus packages – to run code within the browser on Windows.

“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15 per cent more likely to experience crashes.”

In particular, the target here seems to be poorly coded AV tools can not only crash the browser or cause slowdowns, but also introduce security vulnerabilities of their own for hackers to exploit.

Rather than accept injected code, Chrome will require applications to use either Native Messaging API calls or Chrome extensions to add functionality to the browser. Google believes both methods can be used to retain features without having to risk browser crashes. With Chrome 68, the browser will block third-party code in all cases except when the blocking itself would cause a crash. In that case, Chrome will reload, allow the code to run, and then give the user a warning that the third-party software will need to be removed for Chrome to run properly. The warning will be removed and nearly all code injection will be disabled in January of 2019.

“While most software that injects code into Chrome will be affected by these changes, there are some exceptions,” said Hamilton.

“Microsoft-signed code, accessibility software, and IME software will not be affected.”

Chrome trumps all comers in reported vulnerabilities

Quote

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products. ….Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Wait, but isn’t Google itself a threat?