Google removes Chrome admin privileges to reduce threat posed by dodgy extensions

A Microsoft developer has submitted an update to the open-source Chromium project, ensuring that Chrome on Windows will no longer have admin privileges by default. This can reduce the attack surface of malicious browser extensions that may exploit elevated privileges.

Future versions of Chrome on Windows will most likely not run with admin privileges by default. That way, users should be better protected from suspicious extensions, risky websites, and other potentially malicious activities.

Earlier in May, a Principal Software Engineer at Microsoft, Stefan Smolen, submitted a commit to the Chromium source code, with which Chrome will automatically de-elevate when users try to launch it with elevated permissions.

“This CL is based on changes we’ve had in Edge, circa 2019, which attempts to automatically de-elevate the browser when it’s run with the elevated part of a split / linked token,” Smolen said in the commit. “This automatically attempts a relaunch once, and then if it still fails it falls back to the current behaviour (which tries to launch admin).”

5 Likes

Cool but probably doesn’t actually help much

2 Likes

Reading the original source, Chrome didn’t run in admin privileges by default, this was in case the user launched Chrome with admin privileges for some reason, it will relaunch in normal mode instead.

So the impact is limited and the TechRadar article is misleading.

2 Likes

The most common reason would be a different application running with Administrator privileges opening a Chrome window.

BleepingComputer gives one example where editing a system file in Notepad (which requires admin privileges) and using the built-in “search with Bing” feature (stupid)…


…will open Edge in admin mode:

1 Like

I’m no Windows person so this may be a totally naive question, but will this affect any choices users can make about their security? For example can you still customize DoH after this change?

It shouldn’t affect you in any significant way. Definitely won’t affect DoH.

1 Like

Okay, I didn’t know apps could open other apps in admin mode (presumably the user still has to agree?)

I just pointed out that the TechRadar article was complete misinformation by saying this had to do with malicious extensions.

Every time I install OS to someone I make a local user profile for them, so they can not admin anything on the PC. So they can not run Chrome in as administrator to begin with. I live a peaceful tech support life this way.

1 Like

No, if a process is running in an admin context any processes it spawns will also be in an admin context, unless something intentionally drops privileges, which is what Chrome will now do after this change.

1 Like