Google Chrome Plans To Block AV Module Process Injection

The Google Chrome (Chromium) security developers have long complained about third-party antivirus software injecting modules into chrome.exe, causing stability problems, significantly delaying security feature development, and also potentially opening up attack surface.


Solution = Block AV module injection into chrome.exe processes


[Win] Blocking third party modules
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=690166

[Win] Chrome needs a third party module black/whitelist mechanism
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=690008

[Win] Third party module blocking mechanism
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=704233


Unfortunately the design documents contained within the big reports are locked down to be viewed only by Google Chrome developers at this stage of development. I assume that this is still many months out still and will go through testing via field trials and flags well before it ever reaches stable branch.

I expect that Mozilla Firefox developers will also take the step to block AV module injection at some point as well.

 

Which may lead for sandboxing apps to fail and lost their main purpose.

 

Does this apply to Chromium and other Chromium-based browsers as well?

 

yes because it was on Chromium.org so it affect all chromium platform.

 

This would be a huge blow to Anti-Exploit applications like HMPA, and MBAE.

 

Thanks

If this is the case I'll go signature-less

 

They'll be extinct......

 

huge blow? yes, extinct? no, internet-facing apps will still need to be protected.

 

It seems as though this module process injection blocking in Chrome will have a whitelist/blacklist module mechanism. So it could be done in such a way where modules that are known to be causing stability/crashing issues, they could be blocked temporarily until the third party vendor fixes the issue. Trusted modules which have proven stability track record could very well be whitelisted by Chrome. It appears that they are doing this in such a way where they would be able to push these changes out via components in case of urgent stability issues and such. But anyway, I would assume that the development for this module blocking mechanism is likely still a year out until it finishes implementation design and goes through various testing stages.

 

Better solution. Don't use Chrome.

 

They say the past tends to repeat itself. I remember this exact conversation when Vista was coming out with 64 bit KPP, for some reason the sky didn't fall down.

People we're literally saying the same thing about 64bit Windows ahahahaha. People just love getting into a fit about nothing.

Great move from the Chrome team, keep it up. Gotta keep making AV more and more irrelevant.

 

Kinda they way I'm leaning on this situation.

 

This approach would indeed make sense. But I wonder how browsers and other processes can protect themselves against code injection. Running as a "Protected Process" is one option, but I don't think that this will be the case.

 

Yup. Now to figure out what browser to use. May have to go back to my old stomping grounds by using Firefox.

 

Good idea. Move to a less secure platform so you can take advantage of more AV features.

Should probably move back to 32 bit Windows too so you can use a a more powerful HIPS/sandboxie program.

Then you will be REALLY secure thanks to all that 3rd party help. Those companies know Windows/browsers better than anyone.

 

So what do you recommend all knowing one?

 

Those comments are very interesting psychologically speaking...

Everybody knows that Chrome is a fortress in term of security (sandbox + Appcontainer), not impenetrable but quite secure.

so some people rather use a weaker browser (say FF) because they are so dependent of security products...

like they say they rather stay in a house with weak locks because it has an alarm than a house with an armored door and windows...

very interesting...

 

I would rather uninstall my third party antivirus and stay with Windows Defender than stop using Chrome.

 

Guess it would be a matter of time to finally know if this will make Chrome stronger or weaker.

 

I agree. I'm also sure that most security software will adapt to this changes.

 

Does Chrome with AppContainer enabled not disable its own sandbox? I think only one sandbox gets enabled because when AppContainer is enabled, Chrome's command line includes the "no-sandbox".

 

I don't, but that's because it sucks. You can get the same security with Vivaldi or Opera (sandbox disabled or not) with Sandboxie on top.

 

It remains to be seen...

 

Appcontainer