This is the second time I've had a drive-by executable installed on my machine using the following:
- Google Chrome 6 (latest)
- Windows 7, UAC on
This happened while I was browsing for images to add to a gaming.se post; one of the sites I visited (to get an image of a transfer cable) must have had drive-by browser exploit code running.
UAC alerted me that a weird temporary executable wanted to run, and I declined, but I still got the fake antivirus executable running on my machine. Sigh..
I do have Java installed because I upload stuff monthly to clearbits.net and their uploader is a Java plugin. So my best guess is, websites are doing drive-by installs using the massive numbers of zero-day vulnerabilities in the Java browser plugins.
For now, I have uninstalled Java, which works. But I wondered if I could disable the Java plugin in Google Chrome instead.
So, how do you disable these vulnerable plugins in Google Chrome? I can't find the UI.
Best Answer
For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it.
For more general plugin worries, Chrome allows you to block all plugins on all sites completely, and then allows you to selectively enable them on a page without reloading it. You can also configure exceptions for particular URLs.
To enable this, under the Plug-ins section of the settings url:
chrome://settings/contentselect "Block All".With this option enabled, when you want to run plugins on a page you have 3 options:
Chrome also has a "Click to play" setting which is hidden behind a flag in some versions of Chrome. As a commenter mentioned, this option is vulnerable to clickjacking attacks so I would advise against using it. You're better off with the "Block all" feature.