Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com)

Posted by msmash on from the strengthening-things dept.

Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.

40 comments

  1. what's googles plans to protect users? by tatman · · Score: 1

    Perhaps I am misunderstanding the affect of not allowing any injected code into the browser. The article didn't say what google would do to prevent users from malicious sites, as currently antivirus software does. Does this mean we are back to square one?

    --
    I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
    1. Re:what's googles plans to protect users? by jbmartin6 · · Score: 2

      Chrome already has a lot of protections built in, including blocking known malicious sites. It appears to be Google's judgement that third party injected code from AV vendors doesn't add any real value or causes too many crashes. Vendors can still install extensions to do the same thing.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    2. Re:what's googles plans to protect users? by Anonymous Coward · · Score: 0

      No, you're under the glorious protection provided to you by Google (TM). Don't you feel safer already? /sarcasm

      Google's developers seem to be of the same thinking as those that make DRM. "Oh, if we just put in a restriction on the client's machine, it will be protected." Well, much like with DRM, your "protection" won't help you here, all it will do is make it impossible for the average user to circumvent it, while doing nothing against a determined attacker.

      In this case, it's probably doing two things: Disabling debug hooking / checking for debug hooking attempts (just like any DRM would), and probably requesting a curtained memory area if the host supports it. (Just like any DRM would.) Can a dedicated hacker find a bug somewhere to get past this? You bet. Would the average user? No. All they get is inoperable software due to the changes. So in creating these changes, the user has less choice over what the machine does, and the hackers have a new target to crack. Way to punish the legitimate users Google.

      Also, I wonder if there are any policies about Antivirus in a workplace setting that require the ability to scan the browser that would be affected by this? Gotta love Google's constant security policy mandates that they force on everyone. Can't let anyone else make security decisions for themselves now can we? After all most people are ignorant, so everyone must need security decisions made for them.

    3. Re: what's googles plans to protect users? by Anonymous Coward · · Score: 1, Insightful

      Google's security policies generally are intended to secure control of what they view as theirs. And what they sell as their primary product is the information they data-mine from their 'users', who are not their customers. If they did't force https, other players might rustle some of their sheep. This is very similar. They want total control of the data mining shafts they sink into our computers. Noone else can be permitted to muscle in on their operations.

    4. Re:what's googles plans to protect users? by Anonymous Coward · · Score: 0

      Google has malware and site reputation services. You're supposed to use them so Google can do more data mining about you. Google doesn't get the data if you use a 3rd party virus scanner.

    5. Re: what's googles plans to protect users? by Anonymous Coward · · Score: 0

      Try making that claim to their privacy lawyers and see if you can get them to stop laughing at you afterwards.

    6. Re: what's googles plans to protect users? by Anonymous Coward · · Score: 0

      Google also has an online virus scan service where you can upload your files ... hmmm...

    7. Re:what's googles plans to protect users? by Anonymous Coward · · Score: 0

      The second to last line int he article states what vendors should do...

      "The search giant recommends that software vendors update their coding methods and use modern Chrome features such as browser extensions or the Native Messaging API, instead of the antiquated practice of code injection."

    8. Re: what's googles plans to protect users? by Anonymous Coward · · Score: 0

      Who gives a shit what the lawyers Google keep on retainer think?

  2. "Injecting" vs. "Plugging in" by mi · · Score: 0, Offtopic

    Google Will Block Third-Party Software From Injecting Code Into Chrome

    What's the difference between "plugging in" and "injecting"? Spin!

    Availability of plugins is good, threat of injections is terrifying. The technically-important differences? I don't see any...

    --
    In Soviet Washington the swamp drains you.
    1. Re:"Injecting" vs. "Plugging in" by Anonymous Coward · · Score: 3, Informative

      Plugins are JavaScript with access to a restricted set of JavaScript APIs, and the plugin system is designed and tested by Google and provides compatibility between releases. It should be almost impossible for a plugin to crash the browser, if it manages then that's a browser bug. While plugins themselves are very restricted, they can use the Native Messaging API to talk to a separate native process that has full access to the system. The separate native process is not part of the browser, so any bugs in it can't crash the browser.

      Injection involves injecting native code into the browser in a way that Google don't expect, using APIs that may change between releases (they may even change in a security update). Any bugs will crash the browser.

    2. Re:"Injecting" vs. "Plugging in" by Anonymous Coward · · Score: 0

      Injection involves injecting native code into the browser in a way that Google don't expect, using APIs that may change between releases (they may even change in a security update). Any bugs will crash the browser.

      See also: https://en.wikipedia.org/wiki/DLL_injection

    3. Re:"Injecting" vs. "Plugging in" by Anubis+IV · · Score: 4, Informative

      What's the difference between "plugging in" and "injecting"? Spin!

      Hardly, and I'm a little disappointed that there's a need to explain the difference to an adult.

      You plug things into receptacles designed to accept those things, whereas you inject things so as to bypass barriers that those things are not otherwise able or intended to cross. I'm not "injecting" a power plug when I plug it into the wall. The wall outlet is designed to take the plug. I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm. It's being injected into me in order to bypass my skin, which would otherwise keep it out.

      Chrome provides frameworks by which developers can "plug in" third-party code (e.g. userscripts, extensions, apps, etc.), and many of us here have experience in developing those. But those frameworks are intentionally limited so that they can only accept code that's designed to work within their APIs. In contrast, the code being injected by these third parties has no such constraints, since they've injected it in a way that bypasses Chrome's frameworks.

    4. Re:"Injecting" vs. "Plugging in" by mi · · Score: 1

      I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm.

      And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous and even evil in some quarters.

      Chrome provides frameworks by which developers can "plug in" third-party code

      Even when does not provide official means for an addition, the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).

      Thus, the distinction you outlined is without difference and we are back to spin. And the intent of the creators of the additions, however their creations are added.

      --
      In Soviet Washington the swamp drains you.
    5. Re:"Injecting" vs. "Plugging in" by Anubis+IV · · Score: 1

      Thus, the distinction you outlined is without difference and we are back to spin.

      Not so. Re-read what you originally asked for. You questioned "[t]he technically-important differences" between the two, so I made a technical distinction between them: "plugs work this way, injections work that way". That's not spin. That's factual. It's plain for anyone to see that there's a clear difference between them, which is precisely what you asked for. You made no effort to ascribe or discuss any sort of moral judgment.

      And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous [...] the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).

      The fact that neither is inherently good nor inherently evil has no bearing on the technical distinctions I outlined between the two, which is what you asked for and what I provided (i.e. you're moving the goalposts by bringing up an unrelated topic to "refute" what I said).

      Had you instead simply clarified that you intended to discuss the moral distinction between the two from the start, you would have quickly found me in agreement with you that neither method is inherently good nor evil. We make those determinations on a case-by-case basis, and I'd agree with you that in this particular case it's a bit murky. There are arguments to be made for both sides as to whether injections are good or bad. I lean towards them being bad, but I can see how someone else would come down on the other side.

    6. Re:"Injecting" vs. "Plugging in" by AHuxley · · Score: 1

      Think of all this new protection in terms of not seeing third party ads.
      Only quality approved ads will be allowed in and not be so easy to block.
      Approved ads get to stay, others ads are blocked by advanced new security.
      Its what an advertizing company can do to protect their advertising.

      --
      Domestic spying is now "Benign Information Gathering"
  3. This could be reasonable by Chrisq · · Score: 1

    This could be reasonable, but only if there is an API to allow plugins to scan downloadable content. Forcing the use of an API rather than injecting code would be safer, allow Chrome to monitor software causing delays, and make the system more stable. Does anyone know if this is possible via official APIs?

    1. Re:This could be reasonable by Anonymous Coward · · Score: 0

      This could be reasonable, but only if there is an API to allow plugins to scan downloadable content. Forcing the use of an API rather than injecting code would be safer, allow Chrome to monitor software causing delays, and make the system more stable. Does anyone know if this is possible via official APIs?

      Yes, the API is a web-proxy.

    2. Re:This could be reasonable by cas2000 · · Score: 1

      Yes, the API is a web-proxy.

      Unless the web proxy can do a MITM attack (e.g. by using a CA cert installed into every client to generate false certificates), it can't do that for https traffic.

      With https and other encrypted proxied traffic, the proxy doesn't and can't see the traffic. It doesn't even see the URL that a browser requests. All it sees, and all it can log, is that client on IP x.x.x.x used it and requested a CONNECT to host foo.example.com on port y.

      This is by design. It stops ISPs (and others in the network path from client to remote site) from spying on or interfering with traffic.

      It also stops people like me who run their own proxy on their own home server from seeing what is being "phoned home" by browsers, javascript and general software running on machines in the internal network (e.g. windows boxes phoning home to microsoft and iphones etc reporting to apple).

      I used to use the URLs in my squid logs to maintain my squid-based ad & javascript blocker (which I use in addition to uBlock Origin and uMatrix in the browsers. I've been using it since long before browser ad-blocking plugins existed, in the mid 90s when ads started being animated and that pissed me off enough to do something about it). Now, pretty much all I see is CONNECT entries in the log. Using a squid URL redirector to block unwanted crap is ineffective when the proxy can't see the URL.

      I'm generally in favour of "https everywhere" but it has come at a price. I'm a lot more dependent on browser-based blocking than I used to be.

  4. I'd prefer... by nospam007 · · Score: 1

    ...that they would block injecting javascript code from a gazillion of 3d party sites, just to display one fucking page of text.

  5. Ask Permission by ArhcAngel · · Score: 1

    Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re: Ask Permission by Anonymous Coward · · Score: 0

      Address bar??? That's so last-decade! Get with it! Click on the coloured buttons!

    2. Re:Ask Permission by Trax3001BBS · · Score: 2

      Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!

      I'd rather it ask permission than not allow a download. Comodo firewall deleted a keygenerator I use. Not put it in a safe place or recycle bin but removed it, without a word.

    3. Re:Ask Permission by ArhcAngel · · Score: 1

      I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    4. Re: Ask Permission by Anonymous Coward · · Score: 0

      That's why you burn stuff to optical storage. At least, things you don't want to be disappeared by agents on your system without your permission.

    5. Re: Ask Permission by Anonymous Coward · · Score: 0

      Get with it! Click on the coloured buttons!

      Colored?!?

      Oh, no. First we made them flat. Now the color's going away. You don't need to understand the icon. That shows no courage at all. Next, we're taking the borders off. And the whole redraw-on-click. Finally, we're replacing them with ads.

      Get with the program.

    6. Re: Ask Permission by Trax3001BBS · · Score: 1

      That's why you burn stuff to optical storage. At least, things you don't want to be disappeared by agents on your system without your permission.

      Where it came from. Back into Linux Mint and ran it without a problem useing Wine. Chocked it up to lesson learned.

    7. Re:Ask Permission by Trax3001BBS · · Score: 1

      I hear ya. Company switched from Sophos to Cylance this year. A program one of the units has used for years suddenly won't work after install. I find out the folder is empty except for a few readme files. I monitor the folder as I'm installing and watch as the files appear and disappear. Cyber security claims Cylance isn't doing it but nothing else has changed. Six months and I still can't install the program and they refuse to help me troubleshoot.

      This can also be a driver feature of Windows 10, Try this: Run: bcdedit /set TESTSIGNING ON > reboot > install program > see if it works

      Test mode will be shown bottom right,

      Disable Testmode
      Run: bcdedit /set TESTSIGNING OFF > reboot > and the program will be gone, but you will know for sure.

      https://docs.microsoft.com/en-... says use - I use /

  6. Turnabout is fair play by Anonymous Coward · · Score: 0

    Considering how much Google injects into other processes.

  7. What!? No more Ask.Com tool bar?? by Anonymous Coward · · Score: 0

    What the heck am I going to do? Use the Yahoo toolbar? Jeez, they always release bad news on a Friday.

  8. Name and shame by jader3rd · · Score: 2

    I love it. I wish other software vendors would do a better job and informing users as to the root cause of issues they're seeing. More information is better. I don't care if something like "Please wait" or "oops, sorry" tested as being friendlier. I want information!

  9. Google reserves that for ... by CaptainDork · · Score: 3

    ... first-party injection.

    --
    It little behooves the best of us to comment on the rest of us.
  10. Software that does this is terrible by Anonymous Coward · · Score: 0

    Anything that needs to inject itself into an otherwise secure boundary between processes and sniff all of a user's sensitive data in order to "protect" them is not, in fact, protecting them.

    People rail on Google for harvesting all of a user's data, but they are in fact quite detailed and honest about exactly what they're collecting, and it is not as nightmarish as the tinfoilers want to believe.

    You know who DOES collect lots of unnecessary data under the guise of user protection? DING DING DING, the correct answer is: AV software that injects itself into Chrome!

  11. How do you block code injection? by WaffleMonster · · Score: 1

    I am not aware of any method whereby a process is guaranteed the ability to defend itself from any and all such attacks at least in Windows.

    Sure there are things you can do on the margins yet it's not like third parties doing the injecting are stupid and have not already invested significant resources into their work. I wonder how effective this will actually be in real life or if it will become just another pointless unwinnable evolution between adversaries.

    1. Re:How do you block code injection? by Anonymous Coward · · Score: 0

      I'm guessing that there are standard mechanisms that AV and similar utilities use to inject code into web browsers. Otherwise every minor change to a browser's internals would require a new version of the utility.

      There's probably some common way to hook the sockets or file system calls that makes it easy to intercept malware.

      dom

  12. Priceless by Anonymous Coward · · Score: 1

    That's fycking priceless coming from them.
    On Chrome stable, I've had to fix several of these issues over the years:
    Total Profile corruption
    Browser failing to start after update
    Updates crashing mid-update
    Versions of browser that had insane memory leaks. (Caused by any graphical update or timers)
    Versions where Google Play didn't work.
    versions where extensions wouldn't install
    UIs of windows behind bleeding through over the top of Chrome. (STILL happens on some current versions on some computers!)

    Chrome for Android, most recent update for it, has so god damn many bugs it isn't funny. There's a persistent issue with Offline mode being forced when browser recovers from close. Only fix is copy address, close, new tab, paste & enter.
    Speaking of URLs, impossible to edit them now, it forces the Search link on you rather thsn default direct load. Only fix I found was removing the protocol.
    File saves no longer allow renames. The UI doesn't even show unless you go to other tab and back again.
    I've deleted the shit thing permanently. It's insufferable having to find workarounds because retards can't do BASIC tests.

    None of these were external plugins or injections. All were forcibly disabled and these issues persisted.
    All across various OSes from WinXP to Win10, Android, and hardware configs.
    Go fuck your 15%, your trash college-tier developers cause more issues than anyone else.

  13. As "realistic" as DRM. Ridiculous incompetence. by Anonymous Coward · · Score: 0

    So they will add some commands, that will check if the list of commands has been modified, TO their list of commands, . --.--

    And they expect the user to, who, remember, is the one to instruct his CPU to execute their list of commands (Chrome), to fully honor that? Even when he also instructed his CPU to run another list of commands (e.g. anti-virus) he cares about, and instructed the master list of commands (OS) to not hinder that other list from telling it to alter any other lists to be executed on said CPU?

    Yeah. That will happen. --.--

  14. No worry here: Hosts operate outside browser by Anonymous Coward · · Score: 0

    See subject & NEW APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

    Ads/script/malware rob speed/security/privacy/bandwidth.

    Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

    Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

    * Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

    APK

    P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking vs. infection of it built-in)

  15. ASLR perhaps? by Anonymous Coward · · Score: 0

    MAYBE ASLR would help but not sure vs. DLL injection - it does after all change load address to 'random' locations & to 'hook' a process you need to know it's startpoint in memory.

    See subject & afaik it's how 'whitelists' are being beaten by the badguys out there (DLL injection or hiding under services in Windows) & ASLR has been defeated before too.

    * LoadLibrary functions for std. "oldschool" non-OLE .dlls have an export table & if your app starts calling the exported functions from a DLL, like they do OS apis? I don't know what to tell you - sorry. Maybe others do.

    (OLE DLL's though 'marshalled' by GUID (globally unique identifiers) wouldn't be much diff. except for HOW they are called (done to stop DLL Hell/Version of lib/dll mismatches if they are loaded from outside the .exe calling them's folder (say %WinDir%\system32 or another %PATH% folder, & iirc, whatever it sees 1st outside the program's own folder it uses w/ std. non-OLE dlls).

    In my hosts engine @ least, on DISK? It can't be attached to @ tail of the .exe to alter jump tables @ least (like oldschool TRUE viruses did) but in memory? ASLR = my best bet & what's below too.

    APK

    P.S.=> There's also a BOATLOAD of added calling rules that the registry iirc, has rules lists on & governs (perhaps looking up "DLL CALLING CONVENTIONS" that goes past local folder & %PATH% + OLE marshalling, iirc, they govern std. oldschool dll loading (vs. OLE type or ActiveX) some & will help you more (seems to 'ring a bell' here), but I don't recall the exact sections - but I don't think it can help either really - on a FINAL note? Man, lol - I haven't thought about this in a decade or more... apk

  16. Your arrogance is disgusting. by Anonymous Coward · · Score: 0

    Your arrogance is disgusting.