Google's Chrome browser may not have market share to compete with Firefox or Internet Explorer, but it's moving forward nonetheless. Soon it will even have the one feature that was requested by more beta testers than any other: an extension mechanism.
According to a page on Google's site, a future version of Chrome will support a variety of extensions; it's just not clear how they will be implemented yet. Among the goals cited are support for download managers, mash-up extensions, and my own personal favorite, ad blockers. Even industry-standard NPAPI plug-ins will be supported, if all goes according to plan.
But if you believe Eric Lawrence, the security program manager for Microsoft's Internet Explorer, that might not necessarily be a good thing. According to Lawrence, as Web browser software matures and the browser market broadens, the browser itself becomes a more difficult target for malware authors. It's too hard to reach a mass audience if you go that route. Instead, Lawrence says, today's attackers are targeting plug-ins.
Kettle, learn from pot
Initial reactions to Lawrence's comments during a Black Hat Webcast ranged from skepticism to outright derision. After all, who should have less to say about security vulnerabilities in browser components than Microsoft? ActiveX is arguably the most egregious security flaw ever to be intentionally introduced into a piece of software. Why should attackers go to the trouble of breaking a window when they can just walk in the front door?
But the intense scrutiny and criticism that ActiveX has weathered over the years has actually done the technology some good. ActiveX attacks persist, but they mostly rely on older versions of Internet Explorer that lack security improvements introduced in IE7. Meanwhile, other, less obvious targets have become the victims of more recent exploits.