Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com) 40
Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.
what's googles plans to protect users? (Score:2)
Re: (Score:3)
Re: what's googles plans to protect users? (Score:1, Insightful)
Google's security policies generally are intended to secure control of what they view as theirs. And what they sell as their primary product is the information they data-mine from their 'users', who are not their customers. If they did't force https, other players might rustle some of their sheep. This is very similar. They want total control of the data mining shafts they sink into our computers. Noone else can be permitted to muscle in on their operations.
"Injecting" vs. "Plugging in" (Score:1, Offtopic)
What's the difference between "plugging in" and "injecting"? Spin!
Availability of plugins is good, threat of injections is terrifying. The technically-important differences? I don't see any...
Re: (Score:3, Informative)
Plugins are JavaScript with access to a restricted set of JavaScript APIs, and the plugin system is designed and tested by Google and provides compatibility between releases. It should be almost impossible for a plugin to crash the browser, if it manages then that's a browser bug. While plugins themselves are very restricted, they can use the Native Messaging API to talk to a separate native process that has full access to the system. The separate native process is not part of the browser, so any bugs in
Re:"Injecting" vs. "Plugging in" (Score:5, Informative)
What's the difference between "plugging in" and "injecting"? Spin!
Hardly, and I'm a little disappointed that there's a need to explain the difference to an adult.
You plug things into receptacles designed to accept those things, whereas you inject things so as to bypass barriers that those things are not otherwise able or intended to cross. I'm not "injecting" a power plug when I plug it into the wall. The wall outlet is designed to take the plug. I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm. It's being injected into me in order to bypass my skin, which would otherwise keep it out.
Chrome provides frameworks by which developers can "plug in" third-party code (e.g. userscripts, extensions, apps, etc.), and many of us here have experience in developing those. But those frameworks are intentionally limited so that they can only accept code that's designed to work within their APIs. In contrast, the code being injected by these third parties has no such constraints, since they've injected it in a way that bypasses Chrome's frameworks.
Re: (Score:2)
And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous and even evil [huffingtonpost.com] in some quarters.
Even when does not provide official means for an addition, the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice
Re: (Score:2)
Thus, the distinction you outlined is without difference and we are back to spin.
Not so. Re-read what you originally asked for. You questioned "[t]he technically-important differences" between the two, so I made a technical distinction between them: "plugs work this way, injections work that way". That's not spin. That's factual. It's plain for anyone to see that there's a clear difference between them, which is precisely what you asked for. You made no effort to ascribe or discuss any sort of moral judgment.
And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous [...] the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).
The fact that neither is inherently good nor inherently evil has no bearing on
Re: (Score:2)
Only quality approved ads will be allowed in and not be so easy to block.
Approved ads get to stay, others ads are blocked by advanced new security.
Its what an advertizing company can do to protect their advertising.
This could be reasonable (Score:2)
Re: (Score:2)
Unless the web proxy can do a MITM attack (e.g. by using a CA cert installed into every client to generate false certificates), it can't do that for https traffic.
With https and other encrypted proxied traffic, the proxy doesn't and can't see the traffic. It doesn't even see the URL that a browser requests. All it sees, and all it can log, is that client on IP x.x.x.x used it and requested a CONNECT to host foo.example.com on port y.
This is by design. It stops ISPs (and othe
I'd prefer... (Score:2)
...that they would block injecting javascript code from a gazillion of 3d party sites, just to display one fucking page of text.
Ask Permission (Score:2)
Re: (Score:3)
Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!
I'd rather it ask permission than not allow a download. Comodo firewall deleted a keygenerator I use. Not put it in a safe place or recycle bin but removed it, without a word.
Re: (Score:2)
Re: (Score:2)
I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.
This can also be a driver feature of Windows 10, Try this: Run: bcdedit /set TESTSIGNING ON > reboot > install program > see if it works
Test mode will be shown bottom right,
Disable Testmode /set TESTSIGNING OFF > reboot > and the program will be gone, but you will know for sure.
Run: bcdedit
https://docs.microsoft.com/en-... [microsoft.com] says use - I use /
Re: (Score:2)
That's why you burn stuff to optical storage. At least, things you don't want to be disappeared by agents on your system without your permission.
Where it came from. Back into Linux Mint and ran it without a problem useing Wine. Chocked it up to lesson learned.
Name and shame (Score:3)
Google reserves that for ... (Score:4)
... first-party injection.
How do you block code injection? (Score:2)
I am not aware of any method whereby a process is guaranteed the ability to defend itself from any and all such attacks at least in Windows.
Sure there are things you can do on the margins yet it's not like third parties doing the injecting are stupid and have not already invested significant resources into their work. I wonder how effective this will actually be in real life or if it will become just another pointless unwinnable evolution between adversaries.
Priceless (Score:1)
That's fycking priceless coming from them.
On Chrome stable, I've had to fix several of these issues over the years:
Total Profile corruption
Browser failing to start after update
Updates crashing mid-update
Versions of browser that had insane memory leaks. (Caused by any graphical update or timers)
Versions where Google Play didn't work.
versions where extensions wouldn't install
UIs of windows behind bleeding through over the top of Chrome. (STILL happens on some current versions on some computers!)
Chrome for A