Google Chrome Plans To Block AV Module Process Injection

Discussion in 'other security issues & news' started by WildByDesign, May 18, 2017 at 10:00 PM.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,887
    Location:
    Toronto, Canada
    The Google Chrome (Chromium) security developers have long complained about third-party antivirus software injecting modules into chrome.exe, causing stability problems, significantly delaying security feature development, and also potentially opening up attack surface.


    Solution = Block AV module injection into chrome.exe processes


    [Win] Blocking third party modules
    Link: https://bugs.chromium.org/p/chromium/issues/detail?id=690166

    [Win] Chrome needs a third party module black/whitelist mechanism
    Link: https://bugs.chromium.org/p/chromium/issues/detail?id=690008

    [Win] Third party module blocking mechanism
    Link: https://bugs.chromium.org/p/chromium/issues/detail?id=704233


    Unfortunately the design documents contained within the big reports are locked down to be viewed only by Google Chrome developers at this stage of development. I assume that this is still many months out still and will go through testing via field trials and flags well before it ever reaches stable branch.

    I expect that Mozilla Firefox developers will also take the step to block AV module injection at some point as well.
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    Which may lead for sandboxing apps to fail and lost their main purpose.
     
  3. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    117
    Location:
    Far East
    Does this apply to Chromium and other Chromium-based browsers as well?
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    yes because it was on Chromium.org so it affect all chromium platform.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,036
    Location:
    USA
    This would be a huge blow to Anti-Exploit applications like HMPA, and MBAE.
     
  6. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    117
    Location:
    Far East
    Thanks

    If this is the case I'll go signature-less
     
  7. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    117
    Location:
    Far East
    They'll be extinct......:rolleyes:
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    huge blow? yes, extinct? no, internet-facing apps will still need to be protected.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,887
    Location:
    Toronto, Canada
    It seems as though this module process injection blocking in Chrome will have a whitelist/blacklist module mechanism. So it could be done in such a way where modules that are known to be causing stability/crashing issues, they could be blocked temporarily until the third party vendor fixes the issue. Trusted modules which have proven stability track record could very well be whitelisted by Chrome. It appears that they are doing this in such a way where they would be able to push these changes out via components in case of urgent stability issues and such. But anyway, I would assume that the development for this module blocking mechanism is likely still a year out until it finishes implementation design and goes through various testing stages.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    Better solution. Don't use Chrome.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,896
    They say the past tends to repeat itself. I remember this exact conversation when Vista was coming out with 64 bit KPP, for some reason the sky didn't fall down.

    People we're literally saying the same thing about 64bit Windows ahahahaha. People just love getting into a fit about nothing.

    Great move from the Chrome team, keep it up. Gotta keep making AV more and more irrelevant.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,202
    Location:
    USA
    Kinda they way I'm leaning on this situation.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,910
    Location:
    The Netherlands
    This approach would indeed make sense. But I wonder how browsers and other processes can protect themselves against code injection. Running as a "Protected Process" is one option, but I don't think that this will be the case.
     
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    Yup. Now to figure out what browser to use. May have to go back to my old stomping grounds by using Firefox.
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,896
    Good idea. Move to a less secure platform so you can take advantage of more AV features.

    Should probably move back to 32 bit Windows too so you can use a a more powerful HIPS/sandboxie program.

    Then you will be REALLY secure thanks to all that 3rd party help. Those companies know Windows/browsers better than anyone.
     
  16. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    So what do you recommend all knowing one?
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    Those comments are very interesting psychologically speaking...

    Everybody knows that Chrome is a fortress in term of security (sandbox + Appcontainer), not impenetrable but quite secure.

    so some people rather use a weaker browser (say FF) because they are so dependent of security products...

    like they say they rather stay in a house with weak locks because it has an alarm than a house with an armored door and windows...

    very interesting...
     
    Last edited: May 19, 2017 at 11:46 PM
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    876
    I would rather uninstall my third party antivirus and stay with Windows Defender than stop using Chrome.
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    415
    Guess it would be a matter of time to finally know if this will make Chrome stronger or weaker.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,360
    I agree. I'm also sure that most security software will adapt to this changes.
     
  21. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    502
    Location:
    Philippines
    Does Chrome with AppContainer enabled not disable its own sandbox? I think only one sandbox gets enabled because when AppContainer is enabled, Chrome's command line includes the "no-sandbox".
     
    Last edited: May 20, 2017 at 3:35 AM
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,910
    Location:
    The Netherlands
    I don't, but that's because it sucks. You can get the same security with Vivaldi or Opera (sandbox disabled or not) with Sandboxie on top.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    That's my solution. Frankly I don't see what the big deal is with Chrome
     
  24. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,125
    It remains to be seen...:isay:
     
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    Appcontainer :D
     
Loading...