Your browser is only as safe as the sum of all of its components. What this means in practice is that all extensions and plugins — in addition to the core browser code — need to be secure in order for the browser itself to be truly secure.
Google has spent years securing the core of its Chrome browser, and the company is now in the process of taking the additional step of securing the browser extensions. Extensions are third-party software modules that provide additional functionality to the browser. For the first 20 stable releases of Google Chrome, any user could choose to install nearly any extension they wanted to.
Starting with the latest Chrome 21 beta, that situation is about to change. Ending the free-for-all approach in which any site can be a location from which an extension can be installed, Google is locking the process down.
Google is now advising extension developers to host their extension files on the Chrome Web Store, where the code is validated and checked by Google for security. To give developers the flexibility to continue to market their extensions on their own sites, Google also provides developers the ability to host the install button on their own pages even though their extensions are hosted with Google. This is done by means of an inline installation, an option that has been available since the Chrome 15 stable release.
Currently, users who attempt to install an extension (inline installed or otherwise) that is not hosted on the Google Chrome Web Store will get a warning message. That warning will alert users to the potential danger of installing an extension that has not been vetted by Google’s Chrome Web Store security procedures.
While Google is now restricting the ability for any site to host and then trigger the install of a non-Google hosted extension, it is still technically possible to do so. Google has posted a description online on how to specify new sources for extension installation.
“Starting in Chrome 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store,” according to the Google Chromium page. “Previously, users could click on a link to a *.crx file, and Chrome would offer to install the file after a few warnings. After Chrome 21, such files must be downloaded and dragged onto the Chrome settings page.”
Sources have confirmed to eSecurity Planetthat Google has found instances of malicious extensions in the past. Those malware instances were found both external to the Chrome Web Store as well as within it. The difference is that when malware is found in the Chrome Web Store, Google is able to detect it faster and then actually remove it.
While Google is moving to restrict the places from which extensions may be installed, there is no such movement to restrict plugins. Plugins include items such as Oracle’s Java plugins.
Mozilla Follows a Similar Approach
Google isn’t the only browser vendor that scans extensions for malware. Justin Scott, Product Manager for the Mozilla Marketplace, told eSecurity Planetthat Mozilla reviews all add-ons submitted to its gallery at addons.mozilla.org.
“We encourage users to install add-ons directly from the add-ons gallery,” Scotte said. The Firefox browser does not prevent users from installing add-ons from other websites, but they receive a warning before doing so.
In addition to helping protect users by means of the addons.mozilla.org site, Scott noted that Firefox’s Blocklist feature performs a once-a-day, regularly scheduled, automatic check to see if a user has any harmful add-ons installed.
“This feature disables those add-ons that Mozilla has determined to contain known vulnerabilities or major user-facing issues or fatal bugs,” Scott said.