Malicious code can wind up on your PC or phone by any number of roads. Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in. It's a constant battle, and sadly, one that the good guys are losing.
Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties. By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.
James Wagner, Google's Product Manager for the Extensions Platform, had this to say on the topic:
"We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly - and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites."
It's a thorny problem, but industry experts broadly agree that Google is taking the right approach here. Beginning in September, Google plans to disable the "inline installation" feature for all existing extensions. The user will instead be redirected to the Chrome Web Store where they'll have the option to install the extension straight from the source.
Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.
Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here. While browser extensions aren't a major attack vector, it's troublesome enough that Google's attention is most welcome.
It should be noted that one of the indirect benefits of Google's plan is that it further bolsters the importance of user ratings of extensions. They're highly visible on the Web Store, so anyone who's considering installing something has a good, "at-a-glance" way of telling whether the extension is good or a scam. That's information they wouldn't get had the extension been installed inline.
Again, kudos to Google!