Google steals security page from Mozilla's Firefox
Will add blocking of outdated plug-ins to Chrome at unspecified future date
Computerworld - Google will take a page from Mozilla's security playbook and block outdated plug-ins from launching in its Chrome browser, part of a new effort to keep users safer, the company said Monday.
In a post to the Chromium blog, a trio of Google security engineers announced that Chrome would refuse to run plug-ins if they were found to be out of date, and thus, potentially vulnerable to exploitation of known bugs.
Chromium is the name of the open-source development project that feeds into the Chrome browser.
Google did not spell out when the blocking of outdated plug-ins would be added to Chrome, saying only that it would happen in the "medium-term." Nor did the Google engineers specify which plug-ins would be blocked. Chrome will assist users in updating old plug-ins, they said.
Chrome will also display a warning when a site calls on an infrequently-used plug-in, said Chris Evans, Julien Tinnes and Michal Zalewski of Google's security team. "Some plug-ins are widely installed but typically not required for today's Internet experience," they said. "For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition."
Evans, Tinnes and Zalewski did not elaborate on how Chrome would define "infrequently-used."
Google did not reply to requests for clarification and more information on the timeline of the impending changes to Chrome.
By making this move with Chrome, Google is following in the footsteps of Mozilla, which has already equipped its Firefox browser with the ability to block outdated plug-ins.
Mozilla added basic plug-in checking to Firefox 3.5 last September, but fleshed out the feature in Firefox 3.6, which debuted in January. The newest Firefox checks browser plug-ins, such as Adobe's Flash Player or Apple's QuickTime, to make sure they're up to date, then blocks vulnerable plug-ins from loading and shows users how to update the software.
Both Mozilla and Google have said the new features represent a response to the rapid increase in the number of attacks against vulnerable plug-ins, especially Adobe's Flash Player and Reader.
According to some estimates, attacks against browser plug-ins, particularly Adobe's popular Reader PDF viewer, are quickly climbing. In the first quarter of 2010, PDF exploits accounted for 28% of all malware-bearing attack code, antivirus vendor McAfee said in April.
In other security arenas, Chrome is already ahead of Firefox. For example, Google's browser now automatically updates Adobe's Flash Player behind the scenes. And two weeks ago, Google added an integrated PDF viewer to the "developer" build of Chrome for Windows and Mac.
Chrome accounted for 7% of all browsers used last month, according to the most recent data from Web metrics company Net Applications. Meanwhile, Firefox owned a 24% usage share in May.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts