Google Works to Defend Chrome Extensions from Malware
Google's Chrome browser has just adopted a new strategy to fight malicious attacks. Chrome extensions can now only be installed from the Chrome Web Store rather than from any website.
The change, which is being done to prevent malware attacks through rogue extensions, was unveiled by Erik Kay, engineering director of Google Chrome, in a May 27 post on the Google Chrome Blog.
"From now on, to protect Windows users from this kind of attack, extensions can be installed only if they're hosted on the Chrome Web Store," wrote Kay. "With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store."
The move follows changes made by Google in November 2013 when the company announced that it was making it tougher for malware to secretly install unwanted Chrome extensions. "Starting today, we’ll start enforcing this policy," Kay wrote.
"We're constantly working to keep Chrome users safe as they browse, with built-in features like Safe Browsing, which blocks many types of malicious websites and downloads," he wrote. "In the case that malicious software has managed to hijack your settings, we've added a 'reset browser settings' button, so you can get things back to normal. But since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures."
The harmful effects of malware extensions on Chrome browsers fuels Google's mission to continue the fight, he explained. "Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity," he wrote. "If you notice strange ads, broken Web pages or sluggish browsing after installing some new software or plugins, you could be affected."
Developers will continue to get support for local extension installs during development from Google, as well as installs via Enterprise policy, wrote Kay. "And if you have a dedicated installation flow from your own Website, you can make use of the existing inline installs feature. Windows developer channel users, as well as those on other operating systems, are unaffected by these changes."
Developers whose extensions are not in the Chrome Web Store yet can submit their extensions for inclusion. "This is just one more step we are taking to make sure our users can browse safely, and enjoy all the Web has to offer without worrying."