Category Archives: Google

Chrome and Internet Explorer add security features

A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.

Meanwhile, Microsoft is adding a feature to Internet Explorer that will warn users when they visit a site with ads that contain malware. The feature is expected to start working on June 1.

Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.

Google extends Chrome support for Windows XP

Recognizing that millions of people are still using Windows XP, Google has extended support for that O/S in their web browser. That means they will continue to develop fixes for security issues in Chrome running on Windows XP. Anyone still using Windows XP is strongly encouraged to stop using Internet Explorer, which is no longer supported by Microsoft, and use Google Chrome instead.

Malvertising shows no sign of slowing down

Nasty malware, hidden inside a phony ad that appeared on the Huffington Post web site, was exposed to thousands of users earlier this week. The Flash-based ad was delivered via Google’s Doubleclick advertising network. And this wasn’t even the largest malvertising exposure this week.

Google had better get to work on fixing this, or it will start eating into their primary revenue source.

45 security issues fixed in Chrome 42.0.2311.90

The latest version of Chrome includes fixes for forty-five security vulnerabilities. According to the announcement, version 42.0.2311.90 also has improvements in stability and performance.

Starting with this version of Chrome, the old NPAPI technology used for plugins (including Java and Silverlight) is disabled by default. If any of your Chrome plugins still use this technology, you’ll need to enable them when the browser warns you.

Google clamping down on malicious Chrome extensions

If you use Google’s web browser Chrome, and you’ve noticed that some extensions are causing problems, take heart. Google recently discovered that about 200 Chrome extensions are injecting ads in deceptive ways, often leading users to malware. These extensions have been killed by Google, and measures taken to prevent this type of abuse in the future. Note that Google doesn’t explicitly bar ad-injection extensions; however, such extensions are subject to certain limitations.

If you suspect that your installation of Chrome is running one or more of these rogue extensions, your best bet is to uninstall Chrome completely and reinstall it.

Update 2015Apr09: Google’s efforts to identify and remove problematic extensions are ongoing. More announcements of this type are expected. For example: the extension ‘Webpage Screenshot’ was found to be collecting user data inappropriately, and was also killed.

Chrome 41.0.2272.101 released

On March 19, Google announced version 41.0.2272.101 of its Chrome web browser. The announcement doesn’t describe any changes, and only says that a ‘partial list of changes is available in the log’. The log is derived from the Git version control system used by Google to manage Chrome’s source code. As such, it’s difficult to parse for significant changes. It appears that only minor changes were made in Chrome 41.0.2272.101.

Domain registration information leaked by Google

If you’ve registered domains using the Google Apps for Work service, there’s a good chance your registration (WHOIS) information is now available to unscrupulous persons.

Apparently a software defect in Google Apps started leaking the registration info (names, phone numbers, physical addresses, e-mail addresses, etc.) in mid-2013. The defect was recently discovered by a security researcher. Google acted quickly to stop the leaking, but for many, the damage has already been done.

If your information was leaked, you’ll likely start seeing an increase in spam to associated email addresses. The information may also be used in spear phishing attacks.

Note that while domain registration information is public, most domain registrars (including Google Apps) allow for this information to be hidden or only accessible indirectly. This likely encouraged many registrants to use accurate information, making the leak that much worse.