Google blocks local Chrome extensions

Google blocks local Chrome extensions

Summary: Google has moved to block local Chrome extensions in a bid to protect Windows users against silent malware extension installations.

TOPICS: Cloud, Google

Google today began blocking local Chrome extensions with the aim of protecting Windows users against the secret installation of unwanted extensions by malware.

Google had previously announced it would be making changes in order to make it more difficult for malware to install unwanted Chrome extensions without the user’s knowledge.

While many services bundle useful companion extensions which can be installed following a prompt, said Google, some agents have designed extensions to bypass the prompt in order to silently install malicious extensions that override browser settings.

"From now on, to protect Windows users from this kind of attack, extensions can be installed only if they're hosted on the Chrome Web Store," said Google in a blog post. "With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store."

Google said it would continue to support local extension installs during development as well as installs via Enterprise policy. The company also said that Windows developer channel users, along with users on other operating systems, will be unaffected by the changes.

In December Google announced it had updated its Chrome Web Store policy, banning multi-purpose Chrome extensions. The company stipulated that extensions in the Chrome Web Store must have a single purpose that “is narrow and easy to understand”.

Google also revealed this week that the Chrome Web Store would no longer show Netscape Plugin API (NPAPI)-based apps and extensions on its home page, search results, and category pages.

The company first said late last year that it would begin to phase out all plugins, apps, and extensions that make use of NPAPI in order to improve Chrome’s security, speed, and stability, while also reducing the complexity of the code base.

Google said it was still in the process of helping still-popular NPANPI plugins such as Silverlight, Google Earth, Google Talk, and Java, migrate to open-web-based alternatives.

"Most use cases that previously required NPAPI are now supported by JavaScript-based open web technologies. For the few applications that need low-level APIs, threads, and machine-optimized code, Native Client offers the ability to run sandboxed native code in Chrome," said Google in a blog post.

Topics: Cloud, Google


Leon covers enterprise technology and start-ups from ZDNet's Sydney newsroom.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • potentially bad idea

    I do not use Chrome, so it does not affect me personally, but I can see businesses that do potentially in a uproar over this. Especially if any are using in house home grown extensions on their stuff, it would lock them out. And I cannot see them wanting any such internal extension on the web store.

    Oh well...
    • Enterprise exception...

      According to the above referenced blog post, Chrome will still allow local installations for developers and as enabled by enterprise policy (Chrome actually has its own set of Group Policy extensions) so any businesses relying on in-house developed extensions should be fine to continue using and installing them.
    • Most businesses manage without malware

      ... and I'm sure they'll continue to do so.

      Your fear is purely theoretical, with no real world consequences.
  • Seems to be a trend

    I think eventually this will become the norm for Windows and browsers running extensions. Of course Google is becoming the ruler of all things Google as it becomes the next Apple. Making all your decisions for the end user. I myself don't use Chrome any more, since Google has dedicated itself to mucking up and changing Chrome on a whim. Its become a cat and mouse fight with users and Google. First Google takes away or changes a feature. Then users complain and then Google re introduces the feature back in. I prefer a more increment approach to adding and deleting features. Like with IE, Safari which opt for a gradual mature revolution of the browser. I don't use many extensions, but the ones I do use are those officially distributed by the browser support site. I can see how this might affect a few good third party extensions from outside channels. But if it helps stop malware then I'm all for it.
  • Disappointing

    I'm disappointed by this direction. Yet another way to hurt the little guy in the name of security.
  • is Chrome a virus?

    It does not install like a standard Windows program
    It overrides network security, allowing virtually any user to install
    It is easily taken over by malware, home page stealers and the rest
    Most of its settings are hidden

    • What are you talking about?

      How could "network security" prevent a user from installing any software? Do you mean Chrome allows an unprivileged user to install it?
  • Not good...

    I guess that means we can forget about software Google doesn't want to host then. That's ridiculous, I can decide what's safe for me and what's not, thank you very much. Seems that Google is tending to be more and more like Apple, which is not a good thing. I'm not stupid, I know where I get my software from, and I don't need to be restricted to what Google thinks is acceptable. And yes, I have downloaded add-ons in the past from somewhere else because Google didn't seem to want to host it. Remember when Google was all about giving users choice? I remember...
  • Chrome extensions

    They just disabled all extensions not in the Chrome store. The announcement was after the fact. Once I get off Gmail, goodbye Chrome!
    Their suggested solutions include reverting to unstable, insecure versions of Chrome or using jscript to do a workaround for other companies Chrome extensions.