Google Chrome vows to carpet bomb meddling Windows antivirus tools

By mid-2018 Google Chrome will no longer allow outside applications – cough, cough, antivirus packages – to run code within the browser on Windows.

This is according to a post today on the Chromium blog that laid out the July release of Chrome 68 for Windows as the target for new rules that will block all third-party apps from injecting scripts into browser sessions.

The idea, explained the Chocolate Factory, is to cut down on stability issues that arise when Chrome lets other apps execute code that can be buggy or incompatible with other software.

"Roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome, such as accessibility or antivirus software," said Chrome stability team member Chris Hamilton.

"In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15 per cent more likely to experience crashes."

Wondering why your internal .dev web app has stopped working?

READ MORE

In particular, the target here seems to be poorly coded AV tools can not only crash the browser or cause slowdowns, but also introduce security vulnerabilities of their own for hackers to exploit.

Rather than accept injected code, Chrome will require applications to use either Native Messaging API calls or Chrome extensions to add functionality to the browser. Google believes both methods can be used to retain features without having to risk browser crashes.

For now, the policy will likely only be of concern to developers. Users won't notice the development until April 2018, when Chrome 66 will begin showing notifications after Chrome crashes due to injected code. These alerts will finger third-party programs for the cause of the breakdown.

With Chrome 68, the browser will block third-party code in all cases except when the blocking itself would cause a crash. In that case, Chrome will reload, allow the code to run, and then give the user a warning that the third-party software will need to be removed for Chrome to run properly. The warning will be removed and nearly all code injection will be disabled in January of 2019.

"While most software that injects code into Chrome will be affected by these changes, there are some exceptions," said Hamilton.

"Microsoft-signed code, accessibility software, and IME software will not be affected."

Google is advising developers to get out ahead of the changes by shifting to extensions or Native Messaging and testing their software for compatibility with Chrome Beta browser builds. Essentially, get rewriting your code, programmers. ®