Injecting malicious codes into the browser is one of the oldest methods used by attackers to obtain details and hijack the browser. Ironically it is also one of the most preferred methods by anti-virus software to monitor the browsers. We had seen earlier how an attacker cloned the entire Google Chrome browser in order to steal data and hijack the browser. Google has finally decided to act against the third-party applications that inject code into the chrome browser. This is expected to affect two-thirds of all the Chrome users on the browser.
Chrome to block third-party injections
Apparently Chrome installations with code injectors are likely to crash the Chrome browser, and this is one of the main reasons for disallowing the code injection altogether. That being said this will also affect a huge subset of anti-virus that uses code injection to lookout for threats like malware and phishing attempts. However, Google has announced that it will continue to allow Microsoft signed code, accessibility software and also the IME software.
As per Google, the changes will be implemented in three phases over the next 14 months. Starting from April 2018, Chrome 66 will start showing affected users a warning after the crash that a third party software is injecting code. It will further help the user update or remove the software altogether.
In the next phase, i.e., starting from July 2018, Chrome 68 will directly block the third-party software from injecting into Chrome processes. In case this stops Chrome from starting up the browser will temporarily allow the injection and show a warning sign to the user and help them remove the software. In the fourth and the last phase Chrome 72 will automatically block the code from the injection. It is very likely that anti-virus suites may come up with a workaround, but I am personally skeptical about its effectiveness.
In the meanwhile folks at Google are suggesting that software vendors change their coding methods and use newer features like the browser extensions or even the Native Messaging API. Moreover, the vendors are also getting a one year notice to update their methods.