Google blocks silent Chrome extension installation
Last Updated: 2012-12-24 22:02:04 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
According to chromium blog, Google Chrome 25 won't allow anymore silent extensions installs. This is good, because attacks like the Chrome malicious extension injecting ads to wikimedia pages in may won't happen without the user's consent. This is similar to Internet Explorer Protected Mode, which does not allow extension installations and Firefox add-on control since Firefox 8.
This kind of controls enforce the security settings described in the corresponding security templates of web browsers. So far, the only browser that posess the most scalable security baseline is still Internet Explorer, as there are specific Global Policy Objects (GPO) to apply for Internet Explorer that has been tested and deployed worldwide. Google Chrome also have security templates with the corresponding documentation, but you need to build your own GPO to deploy to a Windows Domain. For Firefox, FirefoxADM is able to generate Security GPO to manage security parameters.
Have you suffered lately any attacks regarding malicious extensions for Chrome? For Firefox or Internet Explorer? Let us know!
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org