Google has laid out plans to strengthen the security of Chrome by automatically disabling outdated plug-ins and forcing the user to update them. Infrequently used ones will also be treated differently and will no longer run unless the user confirms the action.
Browser plug-ins, especially popular ones like Flash Player, Adobe Reader or Java, are one of the primary vectors of attack on the Web. Because they always execute in the context of the entire operating system, a security vulnerability allowing arbitrary code execution is a lot harder to mitigate at the browser level.
Up until recently, the plug-ins were more or less neglected by browser developers, because they are created and installed by other companies, who's obligation should be to maintain them. Unfortunately, the first ones to realize that plug-in authors are slow in fixing bugs that and even when they do, most installations are not updated, were the cybercriminals. The longer window of opportunity has made it a lot more profitable for an attacker to find and target remote arbitrary code execution vulnerabilities in plug-ins, than in the actual browsers.
Mozilla was amongst the first to realize that something must be done and launched a plug-in check Web page to keep users notified about updates. The vendor also plans to implement an automatic plug-in update system in future versions of Firefox.
As far as the plug-in issue is concerned Google appears to be following in Mozilla's footsteps with Chrome, a browser that is already well respected for its security model. The vendor has recently integrated a sandboxed PDF viewing solution directly into the browser and is already working on a fully sandboxed plug-in API.
However, according to a post
on the official Chromium blog, the series of measures aimed at lowering the plug-in risk factor will not end here. In the future, in addition to checking for plug-in updates, the developers plan to have the browser automatically disable outdated ones. The browser will also assist users with install their latest version, in order to restore their functionality.
Additionally, the browser will detect if certain plug-ins have not been used for a long time and will mark them as inactive. From that point on, any attempt to utilize them will be treated as suspicious and will require user approval.
You can follow the editor on Twitter @lconstantin