How do you protect against threats caused by vulnerable browser extensions?

bralphye

An article on ZDNet today noted that when security researchers analyzed 100 Chrome extensions, they found 27 of them have at least one vulnerability in their cores. http://www.zdnet.com/blog/security/27-of-100-tested-chrome-extensions-contain-51-vulnerabilities/9537?tag=content;search-results-river 

 

How can one make an intelligent effort to minimize security risks associated with extensions, short of forbidding all of them? Is there a way to evaluate extensions, or are we basically stuck with an uninformed, yes/no decisions whether to download?

Topic: Security
Answer this Question

Answers

2 total
lsmall
Vote Up (13)

I think that most of the vulnerabilities allow attackers to use malicious JavaScript.  There needs to be improvement to Content Security Policies used by developers, and that is not something that you can enforce on the end-user side of it.  On the upside, I don't think that there are efforts being made by the extension developers to patch those extensions with the identified vulnerabilities, so hopefully the threats are being minimized quickly.  At the same time, I would be very cautious about installing extensions that were unnecessary or that came from unfamiliar developers.  There are always going to be some risks out there, careful selection of extensions can at least minimize the level of risk taken.    

jimlynch
Vote Up (12)

Right now I think it's dicey to install them if you aren't sure about security risks. I think you have to ask yourself whether or not you REALLY need to use browser extensions in the first place. I think many people just install them because they are "cool" or "fun" but then don't give them a second though.

Until some sort of security system is in place, I'd try to cut down to as few extensions as possible. The fewer you use, the fewer the chances that you'll inadvertently install one that becomes a huge security headache.

Ask a question

Join Now or Sign In to ask a question.
Google, Dropbox and the Open Technology Fund are supporting a new organization focused on making open-source security and privacy tools more user-friendly.
Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the cost of living makes Denver and Chicago the best bang-for-the-buck places.
Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.
Legislation introduced in the U.S. Senate on Thursday aims to place limits on access by U.S. law enforcement agencies to emails and other communications stored abroad.
Two online advertising networks, Google's DoubleClick and Zedo, have been delivering malicious advertisements that could install malware on a person's computer, according to the security vendor Malwarebytes.
Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security.
CloudFlare said it has engineered a novel way to handle sensitive encryption keys that allows organizations such as financial institutions to still use its caching service to fend off cyberattacks.
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.
The breach of Home Depot's payment systems may have compromised 56 million payment cards as a result of malware that has since been eliminated, the company said Thursday.
Apple outlined its new privacy policy and set up a site to explain what information it collects from users and how it handles it, as the company enters new areas like health tracking and mobile payments that have potential privacy implications.