How do you protect against threats caused by vulnerable browser extensions?

bralphye

An article on ZDNet today noted that when security researchers analyzed 100 Chrome extensions, they found 27 of them have at least one vulnerability in their cores. http://www.zdnet.com/blog/security/27-of-100-tested-chrome-extensions-contain-51-vulnerabilities/9537?tag=content;search-results-river 

 

How can one make an intelligent effort to minimize security risks associated with extensions, short of forbidding all of them? Is there a way to evaluate extensions, or are we basically stuck with an uninformed, yes/no decisions whether to download?

Topic: Security
Answer this Question

Answers

2 total
lsmall
Vote Up (13)

I think that most of the vulnerabilities allow attackers to use malicious JavaScript.  There needs to be improvement to Content Security Policies used by developers, and that is not something that you can enforce on the end-user side of it.  On the upside, I don't think that there are efforts being made by the extension developers to patch those extensions with the identified vulnerabilities, so hopefully the threats are being minimized quickly.  At the same time, I would be very cautious about installing extensions that were unnecessary or that came from unfamiliar developers.  There are always going to be some risks out there, careful selection of extensions can at least minimize the level of risk taken.    

jimlynch
Vote Up (12)

Right now I think it's dicey to install them if you aren't sure about security risks. I think you have to ask yourself whether or not you REALLY need to use browser extensions in the first place. I think many people just install them because they are "cool" or "fun" but then don't give them a second though.

Until some sort of security system is in place, I'd try to cut down to as few extensions as possible. The fewer you use, the fewer the chances that you'll inadvertently install one that becomes a huge security headache.

Ask a question

Join Now or Sign In to ask a question.
The Russian Ministry of Interior is willing to pay 3.9 million roubles, or around US$111,000, for a method to identify users on the Tor network.
Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks.
European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.
An iPhone user has filed a lawsuit for invasion of privacy against Apple, about a week after a Chinese state broadcaster raised security concerns about the device's location-tracking functions.
Handling a software flaw can be messy, both for a security researcher who found it and for the company it affects. But a new set of guidelines aims to make that interaction less mysterious and confrontational.
A hacker group calling itself "Anonymous Kenya" has poked holes at the government's cybersecurity preparedness by hacking two official Twitter accounts.
New guidance from Microsoft researchers suggests that users re-use simple passwords and avoid password management services.
Apple has "inadvertently admitted" to creating a "backdoor" in iOS, according to a post by a forensics scientist, iOS author and ex-hacker.
A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.
Google, Microsoft and Yahoo are meeting with European data protection authorities Thursday to discuss how to implement a recent ruling that gives people the right to have personal information excluded from search results.
randomness