The Google Chrome web browser – just like Firefox and other browsers – integrates plugins automatically that it finds on the system. While this is comfortable in a way, as these can be used by websites to display contents without the user having to enable them first, it can also be a security risk, especially if plugins are not up to date.
Chrome users should take a look at the plugin listing of the browser to make sure only plugins that are needed are activated in it.
First thing that you may want to do is load chrome://plugins in the browser to see the list of plugins that have been found by Chrome. Plugins with a white background are enabled, while gray background plugins are disabled.
The easiest way to enable or disable plugins is to click on the links in the plugin manager to do so. For some plugins, you may notice that Chrome has detected more than one plugin version, and it may happen that both are activated.
To manage those plugins, you need to first click on the details link in the upper right corner of the screen.
Here you see detailed information about the plugin versions, their paths and whether they are enabled or disabled in the browser.For Adobe Flash for instance, you may notice that the browser has picked up the internal Flash plugin, and a Flash plugin that got installed for browsers like Opera or Firefox. It does not really make sense to have both enabled in the browser unless you are testing a new version, a beta for instance. It is therefore always recommended to make sure that only one version of a plugin is enabled at the same time in Chrome or any other browser for that matter.
When it comes to versions, you usually want to make sure that the latest plugin version is enabled and not an earlier version.
When it comes to removing or deleting plugins in Chrome, you have two major options:
- Uninstall the software that has made the plugin available on the computer system
- Remove the plugin manually from the system
The first option is rather obvious and does not really need explaining to get it done right. The second however needs some explanation. As you can see on the screenshot above, Chrome lists the location the plugin is installed on the system. To remove plugins from the system you’d open the path in Windows Explorer or another file manager and delete it there. It is suggested to create a backup first, or, instead of deleting the file, move it out of the folder into a folder that does not get picked up by Chrome automatically.
So, if you do not need the Microsoft Office plugin in Chrome, you would first look at the location information of the Microsoft Office plugin.
All it takes then is to open the folder in Windows Explorer and either delete the file listed outright, or move it into another location on your hard drive for backup and restoration purposes.
Click to play
There is another option that Chrome users have when it comes to dealing with plugins in the browser. I have reviewed Chrome’s Click to play feature before and suggest you check out the guide for an in depth review of it. Only this much: with click to play plugins that are activated in Chrome do not get loaded when you load a website in the browser. You instead see a place holder in the area on the page that you can click on to load the plugin. This can speed up web browsing as it takes less time to connect to web pages that embed contents that require plugins. (inspiration taken from Techdows)
Web browser plugins are a main attack vector on today’s Internet. Especially outdated plugins increase the risk of becoming a victim of a successful attack. If you follow the news here on Ghacks.net or on other similar sites you may have noticed an increase in plugin vulnerabilities over the last years with Adobe leading the leaderboard with its widely used Adobe Flash plugin.
Browser developers have recognized the danger, and have started to offer solutions. Mozilla was one of the first with their Mozilla Plugin Check, which checks the installed browser plugins after each Firefox update. The plugin check website can be accessed manually as well to check plugins not only in Firefox but all web browsers at any time. The implementation has its flaws though, as it will not warn users the moment their plugins become outdated, but only if they access the site manually or after updates.
A new Chrome Labs tool has become available in today’s Google Chrome Dev release that proposes a better solution. Disable outdated plug-ins will automatically disable plugins with known security vulnerabilities and offer update links for them.
This seems to suggest that plugins will only be disabled if an update is available, and not if a security vulnerability has been discovered and a patch is in the making.
Still, this ensures that plugins will be disabled in the Chrome web browser as soon as the plugin developer releases a new version of the plugin. Google is not offering a list of supported plugins, and it is not clear yet how many plugins are supported by the feature. It is however very likely that the most common plugins are supported.
Chrome’s implementation decreases the time it takes to notify the user about outdated plugins. While it is still not a 0-second defense, it offers reasonable protection and gets rid of outdated plugins on user systems.
An option to disable plugins based on security notifications would be the logical next step. This would block plugin vulnerabilities completely, providing that the security notifications are processed in a timely manner.
Integrating the Flash plugin and a pdf reader in Google Chrome has been a controversial move. Some users liked the idea as it allowed them to access contents without having to install the necessary plugins first, others feared the worst, that Google would lack behind in updating the plugins whenever a security update would be issued by Adobe.
But the fear is only one side of the medal. Users who are careless about the installed plugins are benefiting immensely from the internal plugins. They personally do not have to follow the latest security announcements to update their plugins the second a new update is issued, Google does that for them.
Chrome users who prefer not to use the internal plugins can disable them easily.
The Chrome developers have added another powerful weapon to the web browser; Plugin controls that can be used to allow plugins only on whitelist domains, trusted domains that the user added to the browser.
The plugins will simply not work on other websites if configured correctly. That’s beneficial to users who need Flash or another plugin on a handful of sites only.
Google does not stop here, several interesting additions to Chrome’s plugin handling have been announced at the official Chromium Blog.
Google Chrome will protect the users from outdated plugins. It will simply refuse to run them and aid the user in updating the plugins so that they can be used again in the web browser. It is not clear how the plugin database will be maintained, it is however unlikely that all plugins available worldwide are listed in it. It is likely that the most popular plugins are maintained in the database.
Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).
A second interesting feature is the ability to warn users of plugins that have been infrequently used in the past. Some plugins are installed by software or the user and never used in the web browser. Chrome will warn the user about those plugins so that they can be deactivated in the plugin manager.
Warning before running infrequently used plug-ins: Some plug-ins are widely installed but typically not required for today’s Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition
Those two additions can be very helpful and it is likely that other browser developers will offer those features in their browser eventually as well. Mozilla has already started to inform users about outdated plugins during updates.