Google is bolstering Chrome security with a plan to block vulnerable plug-ins from launching.
“We’re working on tackling the problem of out-of-date plug-ins, starting with the two most widely used and targeted plug-ins,” a Google spokesperson told eWEEK. “Adobe Flash now ships with Chrome and is automatically kept up-to-date with Chrome’s powerful auto-update. And in our latest developer builds, PDF files are rendered internally by Chrome. The PDF solution will also be auto-updated and already runs inside the Chromium sandbox.”
The move by Google mirrors what Mozilla has been doing with Firefox. Mozilla started to check Adobe Flash Player plug-ins in fall 2009, and now checks a number of other plug-ins as well. If the plug-ins are out of date, they are blocked from loading. In addition, Mozilla created a page that users can surf to that will check the security of their plug-ins regardless of what browser they are using.
Google did not say when the plug-in protection would make its way into Chrome, but it has already added the ability to disable individual plug-ins as well as to operate in a “domain whitelist” mode where only trusted domains are permitted to load plug-ins. In addition, Google has included Adobe Flash with Chrome, a move that will allow the browser’s auto-update feature to minimize the window of risk for patched vulnerabilities.
“We’re seeing a remarkable swing towards attacks that target pieces of browsing infrastructure such as plug-ins,” members of Google’s Security Team posted on the company’s Chromium blog. “This may be because browsers are taking the lead on auto-update and sandboxing. Since many plug-ins are ubiquitous, they pose the most significant risk to our user base.”