Google Cracks Down on Malicious Chrome Extensions

The next major version of Google Chrome will give users finer-grained control over how extensions interact with the websites they visit. This decision comes after malicious extensions have repeatedly made their way into the Chrome Web Store over the past couple of years.

Third-party browser extensions enable many features that enhance users’ browsing experience, from secure password management to advanced grammar checks and ad blocking. However, to provide their functionality, extensions often need full access to the website content accessed by users or the text they input into web forms. Unfortunately, this powerful “host access” can also be abused to steal credentials, inject unwanted ads into pages and perform other malicious actions.

“Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page,” James Wagner, Chrome extensions product manager, said in a blog post.

This is similar to the click-to-play mechanism that has been in place for years for plug-in-based content such as Flash. Just like users need to first click on Flash-based videos to enable their playback, users soon will be able to click on extension icons to give them access to the active website.

And this is not the only measure that Google plans to take to stop extension abuse. The company will strengthen its review process so that ones that request powerful permissions and those that load external code will be subjected to stricter checks.

Including obfuscated code inside extensions has been banned starting this week, and existing ones that use such techniques will be given 90 days to comply with the new rule.

“Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code,” Wagner said. “At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes.”

Starting sometime next year, Chrome extension developers will be forced to enable two-step verification for their accounts to better protect them from being hijacked, something that has happened on several occasions in the past.

Also in 2019, a new version of the extensions manifest will be introduced that will add more precise APIs, decreasing the need for extensions to request overly broad access. The new manifest will also provide easier mechanisms for users to control the permissions granted to extensions and will support new web technologies such as Service Workers.

Extensions can enhance the browsing experience, but can also ruin it. Having a large number of extensions installed can slow down page loads and can lead to high CPU and RAM usage. Users should periodically review the list of browser extensions and remove the ones they don’t need anymore. There have been cases in the past where developers silently sold their extensions to other people who misused them and spotting such subtle changes in ownership can be difficult.

Adobe Reader and Acrobat Get Patches for 86 Flaws

Adobe Systems released another batch of security fixes for Adobe Reader and Acrobat, this time squashing 86 bugs with critical and important security implications. The patched flaws can lead to arbitrary code execution, information disclosure and privilege escalation through security bypass.

Adobe advises users to upgrade to Adobe Reader and Acrobat version 2019.008.20071 if they are on the Continuous track, version 2017.011.30105 if they use the Classic 2017 variant and version 2015.006.30456 if they use the Classic 2015 track.

Competitor Foxit Software has also recently released security updates that patch tens of serious vulnerabilities in its Foxit Reader and Foxit PhantomPDF applications. Foxit advises users to upgrade the two programs to version 9.3.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin