Skip Links

Google makes good on threat, flips 'kill switch' on some Chrome add-ons

All extensions on Windows must be installed from the Chrome Web Store; those that were not will be permanently disabled

By Gregg Keizer, Computerworld
February 20, 2014 02:23 PM ET

Computerworld - Google today upgraded Chrome to version 33, fulfilling its promise to block more add-ons in the Windows browser and quashing 28 bugs.

The promotion of the new tools and features to Chrome's "Stable" channel, one of three that the Mountain View, Calif. company maintains, had been trumpeted previously, and baked into rougher builds.

Top on the change list was the posting of a "No trespassing" sign: Only extensions or add-ons that originate from the Chrome Web Store, Google's official distribution channel, can be installed. The new policy currently affects only users of the Windows version of Chrome 33.

Chrome 33 also automatically throws a "kill switch" on extensions that had been installed previously from sources other than the Chrome Web Store. Google called this a "hard-disable," or one that prevents the user from re-enabling the add-on. Some exceptions applied.

Google first promised that in November, when Erik Kay, director of Chrome engineering, cited "our continuing security efforts" for the change, and stated, "We believe this change will help those whose browser has been compromised by unwanted extensions."

Google has been tightening the screws on third-party add-ons since July 2012, when it first required that add-ons move to the Chrome Web Store. In other subsequent steps, it blocked sneaky add-on installation.

Those stricter policies had driven some purveyors of adware to try an end-around by buying the rights to established add-ons already in the Chrome Web Store, then modifying them to bombard users with advertisements.

Starting with Chrome 33 on Windows, Google is closing the remaining loopholes: Extensions that had been installed locally or by businesses internally must be published to the Chrome Web Store. Businesses can hide their extensions on the store from the public at large -- or continue to use group policies to offer the add-ons to their workforce from their own servers -- and developers will still be able to initiate "in-line" installs from their website, assuming the add-on is also in the Chrome Web Store.

Only add-ons that were installed via such enterprise policies or by developers from their websites or software can avoid the automatic "hard disable" that Google mandated.

By forcing add-on developers to publish their work in the Store, Google moved another step closer to a closed market, the kind popularized by Apple's mobile app ecosystem, where it can more easily vet the extensions and then yank them if necessary.

On the Mac version of Chrome 32, add-ons that had been installed from sources other than the Chrome Web Store -- such as 1Password's extension, which was installed on one staffer's Mac by that password management software -- were not disabled but were instead marked with "Not from Chrome Web Store."

Chrome 33 also debuted notifications for Google Now, the company's digital Siri-like assistant, within the browser on Windows and Apple's OS X. Those notifications stem from the Android and iOS Google Now apps.

Along with the feature promotions, Google patched 28 vulnerabilities in the browser, including five rated "high," the company's second-most-serious threat ranking. Three of the vulnerabilities were classified as "use-after-free" issues, a type of memory bug that in-house and external researchers have become adept at rooting out, largely by using Google's own AddressSanitizer fuzzing tool.

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News