Google triggers Chrome 'kill switch' for unapproved plugins
Google today upgraded Chrome to version 33, fulfilling its promise to block more add-ons in the Windows browser and quashing 28 bugs.
The promotion of the new tools and features to Chrome’s “Stable” channel, one of three that the Mountain View, Calif. company maintains, had been trumpeted previously, and baked into rougher builds.
Top on the change list was the posting of a “No trespassing” sign: Only extensions or add-ons that originate from the Chrome Web Store, Google’s official distribution channel, can be installed. The new policy currently affects only users of the Windows version of Chrome 33.
Chrome 33 also automatically throws a “kill switch” on extensions that had been installed previously from sources other than the Chrome Web Store. Google called this a “hard-disable,” or one that prevents the user from re-enabling the add-on. Some exceptions applied.
A promise fulfilled
Google first promised that in November, when Erik Kay, director of Chrome engineering, cited “our continuing security efforts” for the change, and stated, “We believe this change will help those whose browser has been compromised by unwanted extensions.”
Google has been tightening the screws on third-party add-ons since July 2012, when it first required that add-ons move to the Chrome Web Store. In other subsequent steps, it blocked sneaky add-on installation.
Those stricter policies had driven some purveyors of adware to try an end-around by buying the rights to established add-ons already in the Chrome Web Store, then modifying them to bombard users with advertisements.
Only add-ons that were installed via such enterprise policies or by developers from their websites or software can avoid the automatic “hard disable” that Google mandated.Starting with Chrome 33 on Windows, Google is closing the remaining loopholes: Extensions that had been installed locally or by businesses internally must be published to the Chrome Web Store. Businesses can hide their extensions on the store from the public at large—or continue to use group policies to offer the add-ons to their workforce from their own servers—and developers will still be able to initiate “in-line” installs from their website, assuming the add-on is also in the Chrome Web Store.
Welcome to the (closed) Android app market
By forcing add-on developers to publish their work in the Store, Google moved another step closer to a closed market, the kind popularized by Apple’s mobile app ecosystem, where it can more easily vet the extensions and then yank them if necessary.
On the Mac version of Chrome 32, add-ons that had been installed from sources other than the Chrome Web Store—such as 1Password’s extension, which was installed on one staffer’s Mac by that password management software—were not disabled but were instead marked with “Not from Chrome Web Store.”
Chrome 33 also debuted notifications for Google Now, the company’s digital Siri-like assistant, within the browser on Windows and Apple’s OS X. Those notifications stem from the Android and iOS Google Now apps.
Along with the feature promotions, Google patched 28 vulnerabilities in the browser, including five rated “high,” the company’s second-most-serious threat ranking. Three of the vulnerabilities were classified as “use-after-free” issues, a type of memory bug that in-house and external researchers have become adept at rooting out, largely by using Google’s own AddressSanitizer fuzzing tool.
Seven outside researchers were paid a total of $13,500 in bounties for reporting six of the 28 flaws. So far this year, Google has paid out more than $21,000 in bug bounties.
Chrome 33 also included the most-up-to-date version of Adobe’s Flash Player—Google’s browser uses an integrated edition of Flash and so updates it automatically—that was released earlier today after reports surfaced that hackers were exploiting a critical vulnerability.
People who haven’t tried Google’s desktop browser can download Chrome 33 for Windows, OS X and Linux from Google’s website. Current users can let the automatic updater download and install the new version.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is firstname.lastname@example.org.
Read more about internet in Computerworld’s Internet Topic Center.