With an apparent rise in malicious extensions, Google has announced five changes that aim to secure their product. These should be incorporated into their next release in the later half of this month, Chrome 70.
1. Expanded controls for determining Chrome extension permissions
According to an article by Chrome developers, “users have the ability to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.”
2. Code obfuscation banned
Google argues this was the main way in which malicious Chrome extensions made it onto the Chrome Web Store.
3. Two-factor authentication required for developers
Phishing attacks over the last year have targeted browser extensions as a means of mass infection. This new requirement should reduce the change of hackers getting direct access to the code of extensions.
4. New review process
Google is watching! Implementing a deeper review process and monitoring with remotely hosted code, Google hopes to quickly spot if malicious changes are taking place.
5. Updated manifest for stronger security
In 2019, Manifest version 3 will be released. The goal is to create “stronger security, privacy and performance guarantees.”
Google has taken notice of the attacks aimed at manipulating their extension functions. When Chrome 70 releases, be prepared to update it across all your systems.
Additionally, Adobe has released it’s regularly-scheduled October security updates. More than half of the 85 vulnerabilities are critical flaws, and the rest are rated as important. This is the latest update since Adobe’s critical out-of-band update from September.
The critical vulnerabilities allow arbitrary code execution. That includes 22 out-of-bounds write flaws, seven critical heap overflow glitches, seven use-after-free bugs, three type confusion bugs, three buffer error bugs, three untrusted pointer dereference flaws and a double free vulnerability.
A competing PDF software, Foxit, has also had a spike in discovered vulnerabilities. This is both good and bad news.The bad is that malicious actors are getting more aggressive by the day. The good news is that companies are taking their software flaws seriously and proactively looking for issues.
All of these vulnerabilities highlight one key lesson: keeping your systems up to date is the vital step for secure environments.
Syxsense facilitates easy update deployments. A rapid patch scan can identify which devices need which updates. Then, from the Patch Manager, it’s simple to target a specific update and deploy it to any devices that require it.
Whether its deploying one update or hundreds, Syxsense will handle the task with ease.START FREE TRIAL