The Chromium team talked about improved Google Chrome plug-in security today. Apparently we are seeing more and more security exploits targeting browser plug-ins.  Since many plug-ins are ubiquitous, they pose the most significant risk to users. To better protect Google Chrome users from the threat of plug-in exploits, Google announced a couple of initiatives:

  • More powerful plug-in controls: Google Chrome now has the ability to disable individual plug-ins or to operate in a “domain whitelist” mode whereby only trusted domains are permitted to load plug-ins.
  • Autoupdate for Adobe Flash Player: By including Adobe Flash Player — the most popular plug-in — with Google Chrome,  browsers can re-use Google Chrome’s powerful autoupdate strategy and minimize the window of risk for patched vulnerabilities.

Other ways Google is attacking the problem:

  • Integrated PDF viewing: We have announced an integrated PDF viewer plug-in running inside Google Chrome’s sandbox. This will make it harder for PDF-based vulnerabilities to result in the persistent installation of malware.
  • Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).
  • Warning before running infrequently used plug-ins: Some plug-ins are widely installed but typically not required for today’s Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition.
  • A next generation plug-in API: “Pepper” makes it easier to sandbox plug-ins.

I’m building my first Google Chrome Plug-In right now to manage a keyword network, and managing linking within blogs.  It is good to learn more about the security behind the scenes.

Advertisements