Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Google blocks silent Chrome extension installation - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Google blocks silent Chrome extension installation

According to chromium blog, Google Chrome 25 won't allow anymore silent extensions installs. This is good, because attacks like the Chrome malicious extension injecting ads to wikimedia pages in may won't happen without the user's consent. This is similar to Internet Explorer Protected Mode, which does not allow extension installations and Firefox add-on control since Firefox 8.

This kind of controls enforce the security settings described in the corresponding security templates of web browsers. So far, the only browser that posess the most scalable security baseline is still Internet Explorer, as there are specific Global Policy Objects (GPO) to apply for Internet Explorer that has been tested and deployed worldwide. Google Chrome also have security templates with the corresponding documentation, but you need to build your own GPO to deploy to a Windows Domain. For Firefox, FirefoxADM is able to generate Security GPO to manage security parameters.

Have you suffered lately any attacks regarding malicious extensions for Chrome? For Firefox or Internet Explorer? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!