Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Security

Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com) 40

Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.
This discussion has been archived. No new comments can be posted.

Google Will Block Third-Party Software From Injecting Code Into Chrome

Comments Filter:
  • Perhaps I am misunderstanding the affect of not allowing any injected code into the browser. The article didn't say what google would do to prevent users from malicious sites, as currently antivirus software does. Does this mean we are back to square one?
    • Chrome already has a lot of protections built in, including blocking known malicious sites. It appears to be Google's judgement that third party injected code from AV vendors doesn't add any real value or causes too many crashes. Vendors can still install extensions to do the same thing.
  • Google Will Block Third-Party Software From Injecting Code Into Chrome

    What's the difference between "plugging in" and "injecting"? Spin!

    Availability of plugins is good, threat of injections is terrifying. The technically-important differences? I don't see any...

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Plugins are JavaScript with access to a restricted set of JavaScript APIs, and the plugin system is designed and tested by Google and provides compatibility between releases. It should be almost impossible for a plugin to crash the browser, if it manages then that's a browser bug. While plugins themselves are very restricted, they can use the Native Messaging API to talk to a separate native process that has full access to the system. The separate native process is not part of the browser, so any bugs in

    • by Anubis IV ( 1279820 ) on Friday December 01, 2017 @01:30PM (#55658927)

      What's the difference between "plugging in" and "injecting"? Spin!

      Hardly, and I'm a little disappointed that there's a need to explain the difference to an adult.

      You plug things into receptacles designed to accept those things, whereas you inject things so as to bypass barriers that those things are not otherwise able or intended to cross. I'm not "injecting" a power plug when I plug it into the wall. The wall outlet is designed to take the plug. I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm. It's being injected into me in order to bypass my skin, which would otherwise keep it out.

      Chrome provides frameworks by which developers can "plug in" third-party code (e.g. userscripts, extensions, apps, etc.), and many of us here have experience in developing those. But those frameworks are intentionally limited so that they can only accept code that's designed to work within their APIs. In contrast, the code being injected by these third parties has no such constraints, since they've injected it in a way that bypasses Chrome's frameworks.

      • by mi ( 197448 )

        I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm.

        And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous and even evil [huffingtonpost.com] in some quarters.

        Chrome provides frameworks by which developers can "plug in" third-party code

        Even when does not provide official means for an addition, the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice

        • Thus, the distinction you outlined is without difference and we are back to spin.

          Not so. Re-read what you originally asked for. You questioned "[t]he technically-important differences" between the two, so I made a technical distinction between them: "plugs work this way, injections work that way". That's not spin. That's factual. It's plain for anyone to see that there's a clear difference between them, which is precisely what you asked for. You made no effort to ascribe or discuss any sort of moral judgment.

          And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous [...] the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).

          The fact that neither is inherently good nor inherently evil has no bearing on

    • by AHuxley ( 892839 )
      Think of all this new protection in terms of not seeing third party ads.
      Only quality approved ads will be allowed in and not be so easy to block.
      Approved ads get to stay, others ads are blocked by advanced new security.
      Its what an advertizing company can do to protect their advertising.
  • This could be reasonable, but only if there is an API to allow plugins to scan downloadable content. Forcing the use of an API rather than injecting code would be safer, allow Chrome to monitor software causing delays, and make the system more stable. Does anyone know if this is possible via official APIs?
  • ...that they would block injecting javascript code from a gazillion of 3d party sites, just to display one fucking page of text.

  • Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!
    • Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!

      I'd rather it ask permission than not allow a download. Comodo firewall deleted a keygenerator I use. Not put it in a safe place or recycle bin but removed it, without a word.

      • I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.
        • I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.

          This can also be a driver feature of Windows 10, Try this: Run: bcdedit /set TESTSIGNING ON > reboot > install program > see if it works

          Test mode will be shown bottom right,

          Disable Testmode
          Run: bcdedit /set TESTSIGNING OFF > reboot > and the program will be gone, but you will know for sure.

          https://docs.microsoft.com/en-... [microsoft.com] says use - I use /

  • by jader3rd ( 2222716 ) on Friday December 01, 2017 @11:59AM (#55658193)
    I love it. I wish other software vendors would do a better job and informing users as to the root cause of issues they're seeing. More information is better. I don't care if something like "Please wait" or "oops, sorry" tested as being friendlier. I want information!
  • by CaptainDork ( 3678879 ) on Friday December 01, 2017 @12:22PM (#55658347)

    ... first-party injection.

  • I am not aware of any method whereby a process is guaranteed the ability to defend itself from any and all such attacks at least in Windows.

    Sure there are things you can do on the margins yet it's not like third parties doing the injecting are stupid and have not already invested significant resources into their work. I wonder how effective this will actually be in real life or if it will become just another pointless unwinnable evolution between adversaries.

  • by Anonymous Coward

    That's fycking priceless coming from them.
    On Chrome stable, I've had to fix several of these issues over the years:
    Total Profile corruption
    Browser failing to start after update
    Updates crashing mid-update
    Versions of browser that had insane memory leaks. (Caused by any graphical update or timers)
    Versions where Google Play didn't work.
    versions where extensions wouldn't install
    UIs of windows behind bleeding through over the top of Chrome. (STILL happens on some current versions on some computers!)

    Chrome for A

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...