Dec 06, 2011

How do you protect against threats caused by vulnerable browser extensions?

An article on ZDNet today noted that when security researchers analyzed 100 Chrome extensions, they found 27 of them have at least one vulnerability in their cores. http://www.zdnet.com/blog/security/27-of-100-tested-chrome-extensions-contain-51-vulnerabilities/9537?tag=content;search-results-river 


How can one make an intelligent effort to minimize security risks associated with extensions, short of forbidding all of them? Is there a way to evaluate extensions, or are we basically stuck with an uninformed, yes/no decisions whether to download?


I think that most of the vulnerabilities allow attackers to use malicious JavaScript.  There needs to be improvement to Content Security Policies used by developers, and that is not something that you can enforce on the end-user side of it.  On the upside, I don't think that there are efforts being made by the extension developers to patch those extensions with the identified vulnerabilities, so hopefully the threats are being minimized quickly.  At the same time, I would be very cautious about installing extensions that were unnecessary or that came from unfamiliar developers.  There are always going to be some risks out there, careful selection of extensions can at least minimize the level of risk taken.    

Right now I think it's dicey to install them if you aren't sure about security risks. I think you have to ask yourself whether or not you REALLY need to use browser extensions in the first place. I think many people just install them because they are "cool" or "fun" but then don't give them a second though.

Until some sort of security system is in place, I'd try to cut down to as few extensions as possible. The fewer you use, the fewer the chances that you'll inadvertently install one that becomes a huge security headache.
Answer this