In the past we reported on Google’s research regarding ad injections and various steps the company has taken in order to limit the possibility of extensions and other software to inject content to webpages. This month, Google announced that Chrome for Windows will start blocking third-party software that injects code to Chrome processes.
Third party software spans from anti-virus scanners and video driver utilities that often inject libraries into running processes to do things like inspect network traffic, to malicious software that can also do the same to spy on users, steal passwords etc. According to Google, Chrome extensions and Native Messaging APIs are modern and safer alternatives to running code inside Chrome processes, and developers are encouraged to use them instead of injecting code from a third party software.
The change will be gradual and start from Chrome 66, due in April 2018, which will begin showing affected users a warning after a crash, alerting them that other software is injecting code into Chrome and guiding them to update or remove that software. The next stage will be introduced in Chrome 68, due in July 2018, which will begin blocking third-party software from injecting into Chrome processes, but if this blocking prevents Chrome from starting, Chrome will restart and allow the injection, together with the warning message. The final stage will come with Chrome 72, due in January 2019, which will block code injection entirely.
The blocking will not apply to accessibility software (such as screen readers), Input Method Editors (used to compose complex scripts, and essential for many Asian languages), and any code that has been signed by Microsoft will continue to be allowed.