Architecture, Network security, Strategy, Threats, Malware

New Google Chrome version notifies of unpatched plug-ins

April 1, 2011

Google has tweaked its Chrome web browser to automatically alert users if their machines are open to one of the most common malware entry points.

Version 10, released earlier this month, warns users if they visit a web page that requires them to view content using a plug-in, if that plug-in is out of date. The new capability will not allow the plug-in to run on its own unless it is fully patched.

Plug-ins, such as Flash Player, QuickTime and Reader, are used to enhance the web experience but are commonly turned to do as exploit vehicles.

"As browsers get better at auto-updating, out-of-date plug-ins are becoming the weakest link against malware attacks," Panayiotis Mavrommatis and Noé Lutz of the Google Security Team wrote in a Thursday blog post. "Thousands of websites are compromised every week, turning those sites into malware distribution vectors by actively exploiting out-of-date plug-ins that run in the browser. Simply visiting one of these sites is usually enough to get your computer infected."

A personal blog maintained by Mavrommatis reported that users, on average, run 21 plug-ins, but there are hundreds from which to choose.

And plug-ins included as part of open-source content management systems -- such as Drupal, Joomla, Typo3 and WordPress -- appear to be particularly problematic of late, according to the IBM X-Force 2010 Trend and Risk Report, released this week.

The report found that there were six times more flaws reported in plug-ins for these systems than in the actual portals themselves.

"It is important for organizations that are running these platforms to be aware that the plug-ins typically have different developers who may not be as prompt at providing patches for security issues as the maintainers of the core platform itself," the report said.

prestitial ad