[Google Chrome] 99% interesting extension

Have you ever seen a driveby download by chromium? I never heard of it?

 

The malicious content is simply not going to be adobe.com, royalbank.com, samsung.com, etc... As for managing executable whitelists/blacklists that's probably better done within the O/S.

 

I don't think most driveby attacks work by linking directly to a .exe. Or any for that matter. Executable files are already blocked from being downloaded by default in Chromium/Chrome, aren't they? I can't see this extension being too useful.

 

Precisely. Which is why NoScript and other content blockers are such a pain to deal with. Allow scripts globally? Without extra backup, you're nuts. Don't allow any scripts at all? Congratulations, you just killed the web. Enable only what's "necessary"? Fine, now which of the 5, 10, however many non-obvious scripts would you like to pick through and enable to allow everything required to perfectly run the site without getting owned and/or letting some company you've never heard of track you across the web?

More on-topic, I'll take a look at this extension in a bit.

 

I actually think allowing scripts globally is fine. That's how I'd do it if I were a NoScript user, with some plugin blocking 'even on whitelisted sites'.

The issue I have with NoScript is that on many sites there are a dozen scripts loading from a dozen different pages, quite a few of which may be necessary, and a few which aren't. I have no way of knowing.

One really nice aspect of ScriptNo was the WOT results built in.

 

First, what do you mean by linking directly to an .exe? Do you mean a direct link in some hijacked page to an .exe? I agree. But, it will eventually download the .exe/other, and it will be blocked by the extension.

Second, I haven't seen Chromium preventing any downloads in a very very long time. Not really sure why, and I believe if it were a bug, it would have been spotted and fixed by now? I mean, I'm talking months. Maybe it now only alerts for files known to be malicious?

Third, the extension allows the user to block any file type. It happens it comes only with .exe and .msi.

By the way, have you found Chromium group policy that allows to prevent users from disabling extensions? Or, you confused it with something else? I simply can't see any over there.

 

The problem is, sometimes the user needs to allow scripts from third-party domains, otherwise the website won't function properly. This was one of the reasons that made me leave Firefox + RequestPolicy. It was quite boring to allow something, which wasn't really needed, and them some more trial and error, until I finally got results. But, eventually some other website would make me go over it again. I quit.

I agree that whitelisting/blacklisting is better done with AppLocker (in my case), but an anti-executable isn't something that most would like to handle, and if for some reason some application installs to user space, then have to whitelist it. I just don't see it happening.

 

This makes it sound like it's just blocking websites that end in .exe.

so

Not sure about that.

No, it alerts to unknown files. But I'm not sure of the specifics. Maybe only unsigned files or unpopular files.

http://www.chromium.org/administrators/policy-list-3
http://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

And you can protect the .json file from being written to by the user.

There are more extension policies than listed there, but I can't remember where they are.

 

You need a few weeks of patience to deal with it, yes, but then it gets easier and easier where you only need to deal with the occasional decision. In most cases the attack starts with a malicious script, so if you stop the script you stop the payload. As for uncertainty and knowing, WOT from the middle-click option is available to aid in the decision making process.

 

For me, and my intended use of this extension, the thread has gotten way over the head of its intended use. My Mom calls launching her browser "turning on my email", she spends 85% of her online time opening, reading, clicking links/attachments and forwarding emails. The other 15% of the time, she goes to Facebook and clicks on everything she sees on her feed. She also shops at a couple of online stores.

No matter how many times I have tried to teach her about safe email practices, she just nods her head, and continues to open any attachment or link because "it's from my friend and I know they wouldn't send me bad emails". This app is perfect for her, because if she hits a link to an .exe page, it simply won't load and she'll eventually move on.

This is my intended use for the app, and I believe it will work perfectly for her.

 

But from a security standpoint, there shouldn't be a decision to make. From a usability standpoint, unless you stick to a handful of websites, the decision-making process will continue on. WOT is there, yes, but I find its usefulness and information to be limited. It isn't a tool I'd use for actual security purposes.

@HungryMan, you're more intelligent in this area than myself, but I am not sure I'd go around with scripts enabled globally. Not in Firefox at least.

 

I understand your feeling. For a few times already, over the years, small security measures I've deployed to family members kept them away from real danger, especially e-mails apparently coming from friends, but it turned out their friends computers were infected and sending e-mails to their contacts to open this or that website.

I do believe little "tools" like this one can be helpful to certain people. In my case, it's also helpful to prevent automatic downloads. For instance, I like to check direct download links at Softpedia. But, once I hit the link for the download, the installer will be automatically downloaded. This is a great way of stoping that.

 

Yes, as I've shown in my first post.
But, won't that .exe come from some domain?

I did try over the weeks to download quite a few .exes, mostly apps to try. I don't think most are downloaded by the general crowd. But, like you I'm unsure.

That policy is to prevent uninstalling them, not disabling them. I don't recall if this one would prevent disabling, but it I don't think it would.

 

Your mom doesn't need some extension or noisy blocker of any kind. Your best bet with a person like her is an always on hand backup image and something like Returnil. I mean no offense at all towards her, but it's rather obvious she is just one of those that doesn't care. That's fine too, computers were never meant to be impregnable fortresses, they were meant to be used easily and used to gather and share data.

 

1806 registry tweak does the same (all executable extensions normally blocked by SRP) in IE and Chrome

Setting it to block
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

;the 1806 block

Setting it to the deafult warn
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000001

;the 1806 warrn (default)

Just click right on a downloaded executable and remove block to allow execution of downloaded executables

 

The download is no longer blocked with Chromium ever since renderers started running at Untrusted. 1806 doesn't have the same effect anymore.

-edit-

I actually think we talked about this behavior before. But, short version is: It allows the downloads, but then deletes the files. Quite stupid behavior, if you ask me. lol

 

@Moon,

It just depends how it's blocking. If it's checking every request for .exe or something maybe it would be effective. I'm also curious as to whether it blocks plugin requests, IDK enough about the webrequest API and whether it allows for that. I'd assume so. I'm kinda curious about it but unfortunately there are no in-the-wild drive bys for Chrome, so I can't test it against anything.

Good point. Maybe file a feature request to prevent disabling instead of just uninstalling.

Well, that's why I use Chrome. But if I were to use Firefox it'd be with a globally allowed NoScript (among other things).

 

That is: https://plus.google.com/105199364823220402760/about

Based on the information there, I'd think it's a safe extension. Nice find especially since you've shown it can do other things!

 

Too bad those Vupen guys didn't release a POC, when they bypassed Chrome's sandbox through Flash Player. I don't think they did? It would be a great way to test it. All we'd have to do would be to get an older version of Chromium/Chrome with Flash Player.

I may do something crazy, and just login to Google and ask the guy (the extension's developer) about it.

 

Actually, that's the worse approach to take with such person, IMO. What good will be a backup image or something like Returnil? If at the moment such a person purchases something on-line, their systems is infected, then I'd hate to be the person handling such system for them.

More quickly, I'd go for Sandboxie, with different sandboxes... if not using Google Chrome, which I'd rather use multiple profiles. The problem is that conflicts/compatibility issues may happen at any given time. One of the reasons that made me no longer deploy such measures to certain family members. Always complaining about some issue.

I understand why you like that approach, though. It would work quite nice, if users would be willing to make a compromise. And, this compromise would imply that the users would be willing to restore a clean image every day, and most of the day, before they always access important pages, such as e-mail accounts, on-line shops, etc. Too boring and too demanding, IMO. Even I find these approaches way too boring, which is why I simply do not care about them either. I simply backup my important stuff, and that's it. Other than that, 99% of my restrictions go to the browser itself.

 

I was able to make some more testing with this extension. I made use of an encoded URL, which would download an .exe file. Unfortunately, in such situation, and how it's currently developed, the extension cannot stop those downloads.

This is big bummer. Maybe the developer can make it work to stop downloads in such situations as well.

Nonetheless, it still serves my purpose. lol

 

I completely understand where you're coming from. My issue with using the Sandboxie approach is that, unless it is drilled down into and you deal with letting x run, but not y, or y access the internet but not x, not only will you not stop keyloggers and other online threats from operating while the session is ongoing, but inevitably something completely legitimate from Windows will need access and you're stuck with pop-ups from Sandboxie. If she ignores it, she may be faced with an order that never goes through, or, knowing most online shopping systems, it may go through and the thing freezes, causing her to hit the "continue with order" button and end up charged multiple times or some other nonsense.

She still has to deal with saving her files to the real system with Sandboxie. In her case, operating Returnil would be easier in my own opinion. Set up the virtual drive for her, make the browser point to that drive when she is asked to save whatever files she may truly want or need, and after the reboot, her files are safe and sound in the virtual drive and the rest of it all is long gone.

One caveat though, I've had problems in the past with Returnil rebooting to find histories, files and icons still there even though I did not save them. If she were my mom? She wouldn't have a computer She might groan and holler, but if it saves her from having her identity and/or money stolen because she couldn't keep her paws off of things and nothing I said got through her head, it's worth the temporary griping.

 

Oh, I would never place such restrictions within Sandboxie. Default box, run browser, delete stuff, run browser again for important stuff. Of course, any compromise of a legitimate site, such as e-mail account would be messy.

Which is why I wouldn't even bother with Sandboxie, at all.

 

I don't know why you guys over-complicate things. Is that because you don't want to spend a few bucks? Just buy some years of Norton 360 or Webroot SecureAnywhere for the grandma computer, make sure it automatically decides everything, protect it with a password and it's done. You can even manage it remotely.

 

No need for spending any money, at all. And, especially NOT let the antivirus decide what to do with whatever they detect as malicious. I can't even count the times people came to me because their antivirus screwed the system, due to deleting/whatever Windows own files.

I also remember a few users complaining at Prevx forum (now Webroot) due to such situations. (Just one more example.)

I'd more quickly install Microsoft Security Essentials, and simply because I doubt it will screw system files.