Slashdot Mirror
Google Will Block Third-Party Software From Injecting Code Into Chrome (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Google has laid out a plan for blocking third-party applications from injecting code into the Chrome browser. The most impacted by this change are antivirus and other security products that often inject code into the user's local browser process to intercept and scan for malware, phishing pages, and other threats. Google says these changes will take place in three main phases over the next 14 months. Phase 1: In April 2018, Chrome 66 will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. Phase 2: In July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes. If this blocking prevents Chrome from starting, Chrome will restart and allow the injection, but also show a warning that guides the user to remove the software. Phase 3: In January 2019, Chrome 72 will remove this accommodation and always block code injection.
Perhaps I am misunderstanding the affect of not allowing any injected code into the browser. The article didn't say what google would do to prevent users from malicious sites, as currently antivirus software does. Does this mean we are back to square one?
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
This could be reasonable, but only if there is an API to allow plugins to scan downloadable content. Forcing the use of an API rather than injecting code would be safer, allow Chrome to monitor software causing delays, and make the system more stable. Does anyone know if this is possible via official APIs?
...that they would block injecting javascript code from a gazillion of 3d party sites, just to display one fucking page of text.
Google's next new feature will be to require users to raise their hand and ask permission before typing a URL in the address bar. If you aren't clicking a link in a Google search result page you're just asking for trouble!
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Plugins are JavaScript with access to a restricted set of JavaScript APIs, and the plugin system is designed and tested by Google and provides compatibility between releases. It should be almost impossible for a plugin to crash the browser, if it manages then that's a browser bug. While plugins themselves are very restricted, they can use the Native Messaging API to talk to a separate native process that has full access to the system. The separate native process is not part of the browser, so any bugs in it can't crash the browser.
Injection involves injecting native code into the browser in a way that Google don't expect, using APIs that may change between releases (they may even change in a security update). Any bugs will crash the browser.
I love it. I wish other software vendors would do a better job and informing users as to the root cause of issues they're seeing. More information is better. I don't care if something like "Please wait" or "oops, sorry" tested as being friendlier. I want information!
... first-party injection.
It little behooves the best of us to comment on the rest of us.
I am not aware of any method whereby a process is guaranteed the ability to defend itself from any and all such attacks at least in Windows.
Sure there are things you can do on the margins yet it's not like third parties doing the injecting are stupid and have not already invested significant resources into their work. I wonder how effective this will actually be in real life or if it will become just another pointless unwinnable evolution between adversaries.
What's the difference between "plugging in" and "injecting"? Spin!
Hardly, and I'm a little disappointed that there's a need to explain the difference to an adult.
You plug things into receptacles designed to accept those things, whereas you inject things so as to bypass barriers that those things are not otherwise able or intended to cross. I'm not "injecting" a power plug when I plug it into the wall. The wall outlet is designed to take the plug. I'm not "plugging in" a syringe when I receive a tetanus booster shot in my arm. It's being injected into me in order to bypass my skin, which would otherwise keep it out.
Chrome provides frameworks by which developers can "plug in" third-party code (e.g. userscripts, extensions, apps, etc.), and many of us here have experience in developing those. But those frameworks are intentionally limited so that they can only accept code that's designed to work within their APIs. In contrast, the code being injected by these third parties has no such constraints, since they've injected it in a way that bypasses Chrome's frameworks.
That's fycking priceless coming from them.
On Chrome stable, I've had to fix several of these issues over the years:
Total Profile corruption
Browser failing to start after update
Updates crashing mid-update
Versions of browser that had insane memory leaks. (Caused by any graphical update or timers)
Versions where Google Play didn't work.
versions where extensions wouldn't install
UIs of windows behind bleeding through over the top of Chrome. (STILL happens on some current versions on some computers!)
Chrome for Android, most recent update for it, has so god damn many bugs it isn't funny. There's a persistent issue with Offline mode being forced when browser recovers from close. Only fix is copy address, close, new tab, paste & enter.
Speaking of URLs, impossible to edit them now, it forces the Search link on you rather thsn default direct load. Only fix I found was removing the protocol.
File saves no longer allow renames. The UI doesn't even show unless you go to other tab and back again.
I've deleted the shit thing permanently. It's insufferable having to find workarounds because retards can't do BASIC tests.
None of these were external plugins or injections. All were forcibly disabled and these issues persisted.
All across various OSes from WinXP to Win10, Android, and hardware configs.
Go fuck your 15%, your trash college-tier developers cause more issues than anyone else.
And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous and even evil in some quarters.
Even when does not provide official means for an addition, the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).
Thus, the distinction you outlined is without difference and we are back to spin. And the intent of the creators of the additions, however their creations are added.
In Soviet Washington the swamp drains you.
Thus, the distinction you outlined is without difference and we are back to spin.
Not so. Re-read what you originally asked for. You questioned "[t]he technically-important differences" between the two, so I made a technical distinction between them: "plugs work this way, injections work that way". That's not spin. That's factual. It's plain for anyone to see that there's a clear difference between them, which is precisely what you asked for. You made no effort to ascribe or discuss any sort of moral judgment.
And yet, the injection is highly beneficial to you and "blocking" it is generally considered dangerous [...] the addition can still be useful — indeed, life-saving. And the other way around — adding poison will kill you even if you use the "official" orifice designed for it (your mouth).
The fact that neither is inherently good nor inherently evil has no bearing on the technical distinctions I outlined between the two, which is what you asked for and what I provided (i.e. you're moving the goalposts by bringing up an unrelated topic to "refute" what I said).
Had you instead simply clarified that you intended to discuss the moral distinction between the two from the start, you would have quickly found me in agreement with you that neither method is inherently good nor evil. We make those determinations on a case-by-case basis, and I'd agree with you that in this particular case it's a bit murky. There are arguments to be made for both sides as to whether injections are good or bad. I lean towards them being bad, but I can see how someone else would come down on the other side.
Think of all this new protection in terms of not seeing third party ads.
Only quality approved ads will be allowed in and not be so easy to block.
Approved ads get to stay, others ads are blocked by advanced new security.
Its what an advertizing company can do to protect their advertising.
Domestic spying is now "Benign Information Gathering"