Last year, Chrome’s team promised to add some features that improve plug-in security. One of them is already included in the latest dev builds: “some plug-ins are widely installed but typically not required for today’s Internet experience. For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition.”
Two of the plug-ins that require permission every time you visit a site that uses them are Oracle’s Java and Apple’s QuickTime. The two plug-ins are enabled by default, but you need to click “Run this time” or “Always run on this site” to load the full content of the page. You can manually whitelist domains, but there’s no way to disable the infobar.
While not many sites use these plug-ins, it’s surprising to see that Chrome requires permission before loading Java or QuickTime content, even if you’ve updated to the latest version of the plug-in. The infobar warning is annoying, some users might ignore it, while others could think that the page tries to install malicious software.
“The reason is to protect the (estimated 90% – 95%) of internet users who do not ever need to instantiate various lesser-used plug-ins. Remember that you just have to press a single button on the sites that you trust to run Java. And then you’re done. In fact you’re much better than done: you’ve limited your exposure to Java security vulnerabilities such that a drive-by malware Java ad won’t automatically run. I encourage you to read about the evolution of drive-by downloads and pay particular attention to how Java is being used in a lot of current attacks, even when it is fully up to date,” explains a Chrome engineer.