Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled.
Here’s what will happen in Chrome 25 and above if an extension tries to silently install itself in your browser:
Notice that you will still have the option to “Enable extension” as well as, if you’re not sure how it got there, “Remove from Chrome.”
Here’s what will happen when you launch Chrome 25 for the first time and you already had previously-silently-installed extensions:
Chrome 25 will give you a list of the extensions it is disabling. If you want to keep some of them, you can click on “Extension Settings.” Otherwise, you can click on “OK, Great.”
For those wondering how silent extension installation works, it’s pretty straightforward. A distributor can use the Windows registry to install extensions en masse; a feature that was originally intended for letting developers to include a Chrome extension as a part of the installation of their software.
Once Chrome 25 is released next year, this will no longer be possible without the user’s knowledge. Google emphasizes Windows application developers should ask users to install Chrome extensions from within the browser; the best way of doing so is to use inline installation.
Google says it is making the move to help its users: although many install extensions strictly from the Chrome Web Store, some have extensions that were silently installed without their knowledge. Silent extension installation in Chrome has been “widely abused by third parties” according to the company (I personally saw this happen when installing a recent update to uTorrent), leaving it no choice but to disable the feature by default.
While malicious extensions can be a serious security risk, as we’ve noted many times in the past (most recently this week), Google wasn’t as direct about the consequences. In fact, the company didn’t mention the word “security” at all in its announcement; it merely stated “extensions can sometimes influence Chrome’s functionality and performance.”
Image credit: WR-Fife