Sunday, 25 March 2018

Disable Java Plugin in Google Chrome?


This is the second time I've had a drive-by executable installed on my machine using the following:



  • Google Chrome 6 (latest)

  • Windows 7, UAC on


This happened while I was browsing for images to add to a gaming.se post; one of the sites I visited (to get an image of a transfer cable) must have had drive-by browser exploit code running.


UAC alerted me that a weird temporary executable wanted to run, and I declined, but I still got the fake antivirus executable running on my machine. Sigh..


I do have Java installed because I upload stuff monthly to clearbits.net and their uploader is a Java plugin. So my best guess is, websites are doing drive-by installs using the massive numbers of zero-day vulnerabilities in the Java browser plugins.


For now, I have uninstalled Java, which works. But I wondered if I could disable the Java plugin in Google Chrome instead.


So, how do you disable these vulnerable plugins in Google Chrome? I can't find the UI.



Answer



For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it.


For more general plugin worries, Chrome allows you to block all plugins on all sites completely, and then allows you to selectively enable them on a page without reloading it. You can also configure exceptions for particular URLs.


To enable this, under the Plug-ins section of the settings url: chrome://settings/content select "Block All".


With this option enabled, when you want to run plugins on a page you have 3 options:



  • Right click on the plugin and choose "Run this plug-in" from the context menu

  • Click the plugin icon in the URL bar and choose "Run all plug-ins this time

  • Add an exception for sites you trust so that they can run plugins without your explicit permission each time



Chrome also has a "Click to play" setting which is hidden behind a flag in some versions of Chrome. As a commenter mentioned, this option is vulnerable to clickjacking attacks so I would advise against using it. You're better off with the "Block all" feature.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...