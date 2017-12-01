Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.

  • Perhaps I am misunderstanding the affect of not allowing any injected code into the browser. The article didn't say what google would do to prevent users from malicious sites, as currently antivirus software does. Does this mean we are back to square one?
    • Chrome already has a lot of protections built in, including blocking known malicious sites. It appears to be Google's judgement that third party injected code from AV vendors doesn't add any real value or causes too many crashes. Vendors can still install extensions to do the same thing.

  • Google Will Block Third-Party Software From Injecting Code Into Chrome

    What's the difference between "plugging in" and "injecting"? Spin!

    Availability of plugins is good, threat of injections is terrifying. The technically-important differences? I don't see any...

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Plugins are JavaScript with access to a restricted set of JavaScript APIs, and the plugin system is designed and tested by Google and provides compatibility between releases. It should be almost impossible for a plugin to crash the browser, if it manages then that's a browser bug. While plugins themselves are very restricted, they can use the Native Messaging API to talk to a separate native process that has full access to the system. The separate native process is not part of the browser, so any bugs in

  • This could be reasonable, but only if there is an API to allow plugins to scan downloadable content. Forcing the use of an API rather than injecting code would be safer, allow Chrome to monitor software causing delays, and make the system more stable. Does anyone know if this is possible via official APIs?

  • ...that they would block injecting javascript code from a gazillion of 3d party sites, just to display one fucking page of text.

  • Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!
  • I love it. I wish other software vendors would do a better job and informing users as to the root cause of issues they're seeing. More information is better. I don't care if something like "Please wait" or "oops, sorry" tested as being friendlier. I want information!

