Chrome 25 will disable 'silently installed' extensions

All Chrome extensions installed using offline methods will be disabled until the users decide otherwise, Google says

By Lucian Constantin, IDG News Service |  Security

"I think it is a good step in the right direction, which is a more secure browsing experience," Zoltan Balazs, an IT security researcher from Hungary, said Monday via email. Balazs previously created proof-of-concept malicious extensions for Firefox, Chrome and Safari in order to demonstrate how powerful such tools can be in the hands of attackers.

Balazs' research, which was presented at several security conferences this year, showed how remotely controlled rogue browser extensions can modify the content of Web pages, take screen shots through the computer's webcam, act as a reverse HTTP proxy into the internal network, download, upload and execute files, be used for distributed password hash cracking and more.

Even though the upcoming changes in Chrome 25 will make life harder for attackers, a piece of malware could still potentially replace the whole Chrome installation with a backdoored one, Balazs said. He pointed to the first of the "10 Immutable Laws of Security" as published by Microsoft, which reads: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

In July, when Google banned Chrome extension installations from third-party websites, the company also said that it will start analyzing all extensions listed in the Chrome Web Store for malicious behavior and will remove the offending ones.

However, malicious extensions have been found in the Chrome Web Store on multiple occasions since then, suggesting that Google's extension scanning and review mechanism can be bypassed. On Aug. 30, researchers from Barracuda Networks warned that Facebook scammers managed to trick over 90,000 users to install several malicious Chrome extensions hosted in the Chrome Web Store before the extensions were removed by Google.

A Dec. 20 alert from Facecrooks, a group that monitors Facebook threats, warned about a scam that tricked users into installing a rogue Chrome extension by claiming that it changes the color scheme of their Facebook profile.

According to Balazs, the fact that malicious extension developers manage to bypass the Chrome Web Store's malware detection systems is not that surprising.

Obfuscating JavaScript code or hiding malicious functions inside other non-malicious functions, or creating non-malicious extensions and adding malicious functions in an update, is very easy, Balazs said. "It is the same cat and mouse game that we see between malware developers and the AV industry."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness