How do you protect against threats caused by vulnerable browser extensions?

bralphye

An article on ZDNet today noted that when security researchers analyzed 100 Chrome extensions, they found 27 of them have at least one vulnerability in their cores. http://www.zdnet.com/blog/security/27-of-100-tested-chrome-extensions-contain-51-vulnerabilities/9537?tag=content;search-results-river 

 

How can one make an intelligent effort to minimize security risks associated with extensions, short of forbidding all of them? Is there a way to evaluate extensions, or are we basically stuck with an uninformed, yes/no decisions whether to download?

Topic: Security
Answer this Question

Answers

2 total
jimlynch
Vote Up (10)

Right now I think it's dicey to install them if you aren't sure about security risks. I think you have to ask yourself whether or not you REALLY need to use browser extensions in the first place. I think many people just install them because they are "cool" or "fun" but then don't give them a second though.

Until some sort of security system is in place, I'd try to cut down to as few extensions as possible. The fewer you use, the fewer the chances that you'll inadvertently install one that becomes a huge security headache.

lsmall
Vote Up (9)

I think that most of the vulnerabilities allow attackers to use malicious JavaScript.  There needs to be improvement to Content Security Policies used by developers, and that is not something that you can enforce on the end-user side of it.  On the upside, I don't think that there are efforts being made by the extension developers to patch those extensions with the identified vulnerabilities, so hopefully the threats are being minimized quickly.  At the same time, I would be very cautious about installing extensions that were unnecessary or that came from unfamiliar developers.  There are always going to be some risks out there, careful selection of extensions can at least minimize the level of risk taken.    

Ask a question

Join Now or Sign In to ask a question.
Almost 500,000 patient records have been hacked from the servers of the Harley Medical Group, the plastic surgery firm which has clinics across the UK.
Security researchers have found that many satellite communication systems have vulnerabilities and design flaws that can let remote attackers intercept, manipulate, block and in some cases take full control of critical communications.
The U.S. commercial drone industry is still struggling to get off the ground more than two years after President Obama signed into law a bill that permits the civilian use of unmanned aerial vehicles (UAV) over the country's airspace.
Sure, you’ve changed a bunch of passwords, but are you doing all you can to protect yourself?
About 2.6 million payment cards at Michaels Stores and another 400,000 at subsidiary Aaron Brothers may have been affected in a card skimming attack that compromised its point-of-sale systems, the retailer said Thursday.
National security may be at stake as private businesses try to manage a growing number of cyberthreats, but IT professionals shouldn't have to bear that burden alone.
Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help.
Whether it's the first time you've picked up an iPad or the seventeenth time you've pulled out your iPhone today, there are probably still some iOS 7 features and functionality that you're not familiar with. Don't sweat it: We're here to help. We've collected some of our favorite and most useful tips and compiled them here, just for you.
The Tor Project has flagged 380 Tor relays vulnerable to the critical Heartbleed flaw to be rejected from the Tor anonymity network, reducing the network's entry and exit capacity.
Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

White Papers & Webcasts

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+