Google Chrome disables outdated plugins now - gHacks Tech News

Google Chrome disables outdated plugins now

Web browser plugins are a main attack vector on today's Internet. Especially outdated plugins increase the risk of becoming a victim of a successful attack. If you follow the news here on Ghacks.net or on other similar sites you may have noticed an increase in plugin vulnerabilities over the last couple of years with Adobe and Oracel leading the statistics with the widely used plugins Adobe Flash and Java.

Browser developers have recognized the danger and have started to offer solutions. Mozilla was one of the first when it introduced Mozilla Plugin Check which checks the installed browser plugins after each Firefox update. The plugin check website can be accessed manually as well to check plugins not only in Firefox but all web browsers at any time.

The implementation has its flaws though, as it will not warn users the moment their plugins become outdated, but only if they access the site manually or after updates.

A new Chrome Labs tool has become available in today's Google Chrome Dev release that proposes a better solution.

Disable outdated plug-ins will automatically disable plugins with known security vulnerabilities and offer update links for them.

This seems to suggest that plugins will only be disabled if an update is available, and not if a security vulnerability has been discovered and a patch is in the making.

Still, this ensures that plugins will be disabled in the Chrome web browser as soon as the plugin developer releases a new version of the plugin. Google is not offering a list of supported plugins, and it is not clear yet how many plugins are supported by the feature. It is however very likely that the most common plugins are supported.

Chrome's implementation decreases the time it takes to notify the user about outdated plugins. While it is still not a 0-second defense, it offers reasonable protection and gets rid of outdated plugins on user systems.

An option to disable plugins based on security notifications would be the logical next step. This would block plugin vulnerabilities completely, providing that the security notifications are processed in a timely manner.

Update: Google is fading out plug-in support in Google Chrome. Plugins using Netscape's old NPAPI architecture won't be supported by the browser anymore at the end of 2015.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Visitor said on October 8, 2010 at 12:14 am
      Reply

      The feature is not working in 7.0.544.0 dev. Tested with Shockwave plugin.

      1. Martin said on October 8, 2010 at 9:49 am
        Reply

        Visitor, have you activated it in about:labs? I think I have may have missed that vital part of information.

    2. Visitor said on October 8, 2010 at 4:35 pm
      Reply

      Sure, I’ve activated it and restarted Chrome manually before testing. I think Shockwave is not supported yet.

      1. Martin said on October 8, 2010 at 5:36 pm
        Reply

        As I mentioned, the effectiveness of the extension depends highly on the plugin list they maintain. It would be nice if they would make it publicly available, and maybe use some cloud magic for information about updated plugins that are not supported by them yet.

    3. Darren said on October 8, 2010 at 7:09 pm
      Reply

      Isn’t this too early for Chrome?
      I mean, most plugins are still latest, hardly a year old

    Leave a Reply