Google is adding an additional layer to Chrome’s defenses, which are designed to prevent potentially unwanted extensions from being installed. The latest enhancements build on the previous ones, which focused on silent installations.
Last December, Google introduced a feature in Chrome that prevented silent extension installation by default. This prevented extensions from being installed without user consent. Earlier this week, they added to that feature, enabling a warning for extensions that attempt to bypass the silent install restrictions. If an extension attempts circumvent extension policies, Google will flag it as malware and present the user with a visual cue.
“These measures will identify software that violates Chrome’s standard mechanisms for deploying extensions, flagging such binaries as malware. Within a week, you will start seeing Safe Browsing malicious download warnings when attempting to download malware identified by this criteria,” wrote Google Security Team member Moheeb Abu Rajab on the company’s security blog.
“This kind of malware commonly tries to get around silent installation blockers by misusing Chrome’s central management settings that are intended be used to configure instances of Chrome internally within an organization. In doing so, the installed extensions are enabled by default and cannot be uninstalled or disabled by the user from within Chrome.”
Enhancements such as this are not the only way Google is looking to improve Chrome, as they rely on internal testing and a community of security researchers to look for vulnerabilities. On Monday, Google announced that they’ve patched four flaws in Chrome, three of them ranking high on the risk scale.
What’s interesting about that is the payout. Ralf-Philipp Weinmann, the researcher who discovered three of the four flaws that were patched, walked away with a payment equal to most people’s annual salary.
“We’re pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe,” Google wrote.