DOCSLIB.ORG

After You, Please: Browser Extensions Order Attacks and Countermeasures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
After You, Please: Browser Extensions Order Attacks and Countermeasures After You, Please: Browser Extensions Order Attacks and Countermeasures Pablo Picazo-Sanchez Juan Tapiador Chalmers j University of Gothenburg, Carlos III University Gothenburg, Sweden Madrid, Spain Gerardo Schneider Chalmers j University of Gothenburg, Gothenburg, Sweden Abstract ular browsers as of this writing (April 2018) are Chrome (77.9%), Firefox (11.8%), Internet Explor- Browser extensions are small applications executed er/Edge (4.1%), Safari (3.3%) and Opera (1.5%) in the browser context that provide additional capa- [18]. Most browsers allow users to install small bilities and enrich the user experience while surfing applications, generally developed by third parties, the web. The acceptance of extensions in current that provide additional functionality or enhance the browsers is unquestionable. For instance, Chrome’s user experience while browsing. Such plug-ins are official extension repository has more than 63,000 known as browser extensions and they interact with extensions, with some of them having more than the browser by sharing common resources such as 10M users. When installed, extensions are pushed tabs, cookies, HTML content or storage capabilities. into an internal queue within the browser. The or- der in which each extension executes depends on a In this paper we focus on Chromium [12], which number of factors, including their relative installa- is an open source browser and the basis for Chrome, tion times. In this paper, we demonstrate how this Opera, Comodo, Dragon and the Yandex browser. order can be exploited by an unprivileged malicious Extensions installed in Chromium can also run in all extension (i.e., one with no more permissions than mentioned browsers. The execution engine is ex- those already assigned when accessing web content) actly the same in all the browsers and follows the to get access to any private information that other same pipeline model that will be explained in some extensions have previously introduced. Our solution detail later (Section3). For this reason, we will re- does not require modifying the core browser engine fer to Chrome and Chromium interchangeably. Ex- as it is implemented as another browser extension. tensions in Chromium can be of three types: con- We prove that our approach effectively protects the tent scripts, background pages, or both. In what fol- user against usual attackers (i.e., any other installed lows, our main focus is on content scripts, which are extension) as well as against strong attackers having JavaScript files that run in the context of the loaded access to the effects of all installed extensions (i.e., web page. It is important to emphasize that the main knowing who did what). We also prove soundness aim of content scripts is to access and interact with arXiv:1908.02205v1 [cs.CR] 6 Aug 2019 and robustness of our approach under reasonable as- the Document Object Model (DOM). This fact alone sumptions. raises a fundamental privacy question, since it is ex- plicitly assumed that extensions will have full access to any (sensitive or not) content that the user is ac- 1 Introduction cessing. Browsers (including Chromium) dodge this issue by assuming that the user should trust the ex- Web browsers have become essential tools that are tension before installing it. In this paper we do not installed on nearly all computers. The most pop- address this problem, which is essentially related to 1 determining if an extension’s behavior is benign or E1 E2 E3 <latexit sha1_base64="VfYnBWr0qNp/vf1hBmmNQpZpI84=">AAAB5XicbZDNSsNAFIVv6l+tf1WXbgaL4KokIuiy6MZlBfsDbSiT6U0zdCYJMxOhhD6CrkTd+UK+gG/jpGahrWf1zT1n4J4bpIJr47pfTmVtfWNzq7pd29nd2z+oHx51dZIphh2WiET1A6pR8Bg7hhuB/VQhlYHAXjC9LfzeIyrNk/jBzFL0JZ3EPOSMmmI01Jkc1Rtu012IrIJXQgNKtUf1z+E4YZnE2DBBtR54bmr8nCrDmcB5bZhpTCmb0gkOLMZUovbzxa5zchYmipgIyeL9O5tTqfVMBjYjqYn0slcM//MGmQmv/ZzHaWYwZjZivTATxCSkqEzGXCEzYmaBMsXtloRFVFFm7GFqtr63XHYVuhdNz21695eN1k15iCqcwCmcgwdX0II7aEMHGETwDG/w7kycJ+fFef2JVpzyzzH8kfPxDR+Di+g=</latexit> malicious. X E1 HTML When analyzing the security and privacy impli- 1 HTML0 HTML0 E2 <latexit sha1_base64="VfYnBWr0qNp/vf1hBmmNQpZpI84=">AAAB5XicbZDNSsNAFIVv6l+tf1WXbgaL4KokIuiy6MZlBfsDbSiT6U0zdCYJMxOhhD6CrkTd+UK+gG/jpGahrWf1zT1n4J4bpIJr47pfTmVtfWNzq7pd29nd2z+oHx51dZIphh2WiET1A6pR8Bg7hhuB/VQhlYHAXjC9LfzeIyrNk/jBzFL0JZ3EPOSMmmI01Jkc1Rtu012IrIJXQgNKtUf1z+E4YZnE2DBBtR54bmr8nCrDmcB5bZhpTCmb0gkOLMZUovbzxa5zchYmipgIyeL9O5tTqfVMBjYjqYn0slcM//MGmQmv/ZzHaWYwZjZivTATxCSkqEzGXCEzYmaBMsXtloRFVFFm7GFqtr63XHYVuhdNz21695eN1k15iCqcwCmcgwdX0II7aEMHGETwDG/w7kycJ+fFef2JVpzyzzH8kfPxDR+Di+g=</latexit> cations of browser extensions, one question that 3 X HTML has been largely overlooked is the potential leak- E3 age of information among extensions. In nearly all HTML’ browsers, each content script uses its own wrapper of the DOM to read and make changes to the page Figure 1: Modified extension execution pipeline in loaded by the browser. They also run in a dedi- our solution. cated sandbox that the browser provides for security reasons. However, there is no isolation in terms of privacy, since all changes an extension performs in that ends up in the DOM, since it is assumed that its own DOM are automatically synchronized with other extensions could simply read or manipulate it. the main DOM. One straightforward—but nonethe- Even if browsers do not factor this into their threat less important—consequence of this is that a mali- model, we believe that this is a serious vulnerabil- cious extension could eavesdrop on other extensions ity that has not been discussed before. More im- (i.e., it can get access to the data they put on the portantly, it can be easily exploited by a malicious DOM and observe their actions) and even manipu- extension, regardless of the fact that it is explicitly late their behavior by acting on their DOM elements assumed in the browser’s extension model or not. (e.g., clicking on elements introduced by another ex- We discuss a vulnerability inherent to the way ex- tension). An attacker can exploit this using two dif- tensions are handled in Chromium, formalize this ferent strategies: problem in terms of knowledge gained by the at- 1. Exploiting the order. The way Chromium tacker and propose a solution that provides practical manages extensions (see Section3) introduces security isolation among extensions and does not re- a default execution order among extensions quire altering the core browser engine. The key idea with undesirable consequences. One key is- is to replace the extension pipeline by a (simulated) sue is that the n-th extension in the pipeline can parallel execution model in which all extensions re- learn all contents introduced by the first n − 1 ceive the same input page (see Fig.1). An addi- extensions in the HTML document. Thus, ex- tional component identifies the changes introduced tensions located at the end of the pipeline enjoy by each extension and applies all of them to the orig- more privacy than ones installed earlier. inal input page. We prove properties (soundness and 2. The order-independent attacks. Some of at- robustness) of our solution and also discuss limita- tacks enabled by the absence of effective isola- tions of this approach. tion among extensions’ actions do not require exploiting the execution order (i.e., getting the malicious extension to be placed at the end of 2 Chrome Browser Extensions the execution pipeline). However, exploiting the order provides the attacker with a privileged Events order in JavaScript. In JavaScript, the position that facilitates such attacks, which will event propagation mechanism determines in which result in a simpler code for the malicious exten- order an event is received by HTML elements. For sion that will increase the chances of passing instance, when two nested elements are subscribed the analysis performed by official stores [8]. to the same event and this event is fired, there are This lack of effective isolation is not only inher- basically two ways to propagate the event in the ent to Chromium’s extension model, but also explic- DOM: bubbling and capturing. By using capturing, itly acknowledged. Browsers such as Chrome do the event is initially handled by the root element and not even attempt to guarantee some form of “non- propagated to the its children. In contrast, with bub- interference” among extensions. On the contrary, bling the event is initially captured and handled by developers are encouraged to implement appropri- the children (leaves nodes in the DOM tree) and then ate mechanisms to protect any sensitive information propagated to their parents. 2 In JavaScript, extensions subscribe to events by manages tasks and microtasks. A task—a click using the addEvenListener() function. In our event, for instance—is run in its own thread and is example above we use capturing, so the first alert() composed of a set of JavaScript sentences, actions to will correspond to the <divid="1">. In case of handle the event, which belong to the event loop. All using bubbling, then the first alert() will corre- tasks are queued and executed sequentially. More- spond to the <divid="2"> element. over, when a setTimeout is used in the event Apart from the JavaScript event propagation loop, the callback function that is executed asyn- mechanism, extensions developers can define one chronously is queued as a new task. This is specially additional order level through a property named useful for monitoring delayed functions in browser run_at in the manifest.json file that allows extensions. them to control at which moment the extension will Nevertheless,
Load more

Recommended publications
  • Financing Transactions 12
    MOBILE SMART FUNDAMENTALS MMA MEMBERS EDITION AUGUST 2012 messaging . advertising . apps . mcommerce www.mmaglobal.com NEW YORK • LONDON • SINGAPORE • SÃO PAULO MOBILE MARKETING ASSOCIATION AUGUST 2012 REPORT MMA Launches MXS Study Concludes that Optimal Spend on Mobile Should be 7% of Budget COMMITTED TO ARMING YOU WITH Last week the Mobile Marketing Association unveiled its new initiative, “MXS” which challenges marketers and agencies to look deeper at how they are allocating billions of ad THE INSIGHTS AND OPPORTUNITIES dollars in their marketing mix in light of the radically changing mobile centric consumer media landscape. MXS—which stands for Mobile’s X% Solution—is believed to be the first YOU NEED TO BUILD YOUR BUSINESS. empirically based study that gives guidance to marketers on how they can rebalance their marketing mix to achieve a higher return on their marketing dollars. MXS bypasses the equation used by some that share of time (should) equal share of budget and instead looks at an ROI analysis of mobile based on actual market cost, and current mobile effectiveness impact, as well as U.S. smartphone penetration and phone usage data (reach and frequency). The most important takeaways are as follows: • The study concludes that the optimized level of spend on mobile advertising for U.S. marketers in 2012 should be seven percent, on average, vs. the current budget allocation of less than one percent. Adjustments should be considered based on marketing goal and industry category. • Further, the analysis indicates that over the next 4 years, mobile’s share of the media mix is calculated to increase to at least 10 percent on average based on increased adoption of smartphones alone.
    [Show full text]
  • Cross-Platform Analysis of Indirect File Leaks in Android and Ios Applications
    Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications Daoyuan Wu and Rocky K. C. Chang Department of Computing, The Hong Kong Polytechnic University fcsdwu, [email protected] This paper was published in IEEE Mobile Security Technologies 2015 [47] with the original title of “Indirect File Leaks in Mobile Applications”. Victim App Abstract—Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile Other systems, notably Android and iOS, use sandboxes to isolate apps’ components file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, Adversary Deputy Trusted we devise new indirect file leak (IFL) attacks that exploit browser (a) (d) parties interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can Private files affect both Android and iOS. Moreover, our IFL methods allow (s) an adversary to launch the attacks remotely, without implanting malicious apps in victim’s smartphones. We finally compare the impacts of four different types of IFL attacks on Android and Fig. 1. A high-level IFL model. iOS, and propose several mitigation methods. four IFL attacks affect both Android and iOS. We summarize these attacks below. I. INTRODUCTION • sopIFL attacks bypass the same-origin policy (SOP), Mobile applications (apps) are gaining significant popularity which is enforced to protect resources originating from in today’s mobile cloud computing era [3], [4].
    [Show full text]
  • 1 Questions for the Record from the Honorable David N. Cicilline, Chairman, Subcommittee on Antitrust, Commercial and Administra
    Questions for the Record from the Honorable David N. Cicilline, Chairman, Subcommittee on Antitrust, Commercial and Administrative Law of the Committee on the Judiciary Questions for Mr. Kyle Andeer, Vice President, Corporate Law, Apple, Inc. 1. Does Apple permit iPhone users to uninstall Safari? If yes, please describe the steps a user would need to take in order to do so. If no, please explain why not. Users cannot uninstall Safari, which is an essential part of iPhone functionality; however, users have many alternative third-party browsers they can download from the App Store. Users expect that their Apple devices will provide a great experience out of the box, so our products include certain functionality like a browser, email, phone and a music player as a baseline. Most pre-installed apps can be deleted by the user. A small number, including Safari, are “operating system apps”—integrated into the core operating system—that are part of the combined experience of iOS and iPhone. Removing or replacing any of these operating system apps would destroy or severely degrade the functionality of the device. The App Store provides Apple’s users with access to third party apps, including web browsers. Browsers such as Chrome, Firefox, Microsoft Edge and others are available for users to download. 2. Does Apple permit iPhone users to set a browser other than Safari as the default browser? If yes, please describe the steps a user would need to take in order to do so. If no, please explain why not. iPhone users cannot set another browser as the default browser.
    [Show full text]
  • Website Nash County, NC
    Website Nash County, NC Date range: Week 13 October - 19 October 2014 Test Report Visits Summary Value Name Value Unique visitors 5857 Visits 7054 Actions 21397 Maximum actions in one visit 215 Bounce Rate 46% Actions per Visit 3 Avg. Visit Duration (in seconds) 00:03:33 Website Nash County, NC | Date range: Week 13 October - 19 October 2014 | Page 2 of 9 Visitor Browser Avg. Time on Browser Visits Actions Actions per Visit Avg. Time on Bounce Rate Conversion Website Website Rate Internet Explorer 2689 8164 3.04 00:04:42 46% 0% Chrome 1399 4237 3.03 00:02:31 39.24% 0% Firefox 736 1784 2.42 00:02:37 50% 0% Unknown 357 1064 2.98 00:08:03 63.87% 0% Mobile Safari 654 1800 2.75 00:01:59 53.36% 0% Android Browser 330 1300 3.94 00:02:59 41.21% 0% Chrome Mobile 528 2088 3.95 00:02:04 39.02% 0% Mobile Safari 134 416 3.1 00:01:39 52.24% 0% Safari 132 337 2.55 00:02:10 49.24% 0% Chrome Frame 40 88 2.2 00:03:36 52.5% 0% Chrome Mobile iOS 20 46 2.3 00:01:54 60% 0% IE Mobile 8 22 2.75 00:00:45 37.5% 0% Opera 8 13 1.63 00:00:26 62.5% 0% Pale Moon 4 7 1.75 00:00:20 75% 0% BlackBerry 3 8 2.67 00:01:30 33.33% 0% Yandex Browser 2 2 1 00:00:00 100% 0% Chromium 1 3 3 00:00:35 0% 0% Mobile Silk 1 8 8 00:04:51 0% 0% Maxthon 1 1 1 00:00:00 100% 0% Obigo Q03C 1 1 1 00:00:00 100% 0% Opera Mini 2 2 1 00:00:00 100% 0% Puffin 1 1 1 00:00:00 100% 0% Sogou Explorer 1 1 1 00:00:00 100% 0% Others 0 0 0 00:00:00 0% 0% Website Nash County, NC | Date range: Week 13 October - 19 October 2014 | Page 3 of 9 Mobile vs Desktop Avg.
    [Show full text]
  • XCSSET Update: Abuse of Browser Debug Modes, Findings from the C2 Server, and an Inactive Ransomware Module Appendix
    XCSSET Update: Abuse of Browser Debug Modes, Findings from the C2 Server, and an Inactive Ransomware Module Appendix Introduction In our first blog post and technical brief for XCSSET, we discussed the depths of its dangers for Xcode developers and the way it cleverly took advantage of two macOS vulnerabilities to maximize what it can take from an infected machine. This update covers the third exploit found that takes advantage of other popular browsers on macOS to implant UXSS injection. It also details what we’ve discovered from investigating the command-and-control server’s source directory — notably, a ransomware feature that has yet to be deployed. Recap: Malware Capability List Aside from its initial entry behavior (which has been discussed previously), here is a summarized list of capabilities based on the source files found in the server: • Repackages payload modules to masquerade as well-known mac apps • Infects local Xcode and CocoaPods projects and injects malware to execute when infected project builds • Uses two zero-day exploits and trojanizes the Safari app to exfiltrate data • Uses a Data Vault zero-day vulnerability to dump and steal Safari cookie data • Abuses the Safari development version (SafariWebkitForDevelopment) to inject UXSS backdoor JS payload • Injects malicious JS payload code to popular browsers via UXSS • Exploits the browser debugging mode for affected Chrome-based and similar browsers • Collects QQ, WeChat, Telegram, and Skype user data in the infected machine (also forces the user to allow Skype and
    [Show full text]
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
    [Show full text]
  • RELEASE NOTES UFED PHYSICAL ANALYZER, Version 5.4 | November 2016 UFED LOGICAL ANALYZER, UFED READER
    NOW SUPPORTING 20,854 DEVICE PROFILES +2,851 APP VERSIONS UFED TOUCH2, UFED TOUCH, UFED 4PC, RELEASE NOTES UFED PHYSICAL ANALYZER, Version 5.4 | November 2016 UFED LOGICAL ANALYZER, UFED READER HIGHLIGHTS WE’VE ADDED SUPPORT TO MORE MOTOROLA ANDROID DEVICES! DEVICE SUPPORT Physical extraction and decoding from 26 popular Motorola Android devices ◼ Bootloader-based physical extraction for 17 MTK Android (up to and including OS 5.0.1). devices running the following MediaTek chipsets: MT6735 and MT6753. ◼ Physical extraction and decoding from 26 popular A BRAND NEW USER INTERFACE Motorola Android devices. Due to popular demand, we ◼ Following the previous announcement in version 5.1, are excited to introduce the we have added physical extraction while bypassing new interface for UFED Physical user lock for 18 additional Huawei devices, running Analyzer, UFED Logical Analyzer and UFED Reader 5.4. HiSilicon chipsets. We have redesigned the user interface to deliver a more ◼ Logical extraction and decoding is enabled for the new intuitive user experience. Google Pixel Android devices (Apps data not included). APPS SUPPORT ◼ 26 new Applications supported for iOS and PINPOINT YOUR SUBJECTS’ Android devices. LOCATIONS WITH MORE ACCURACY! ◼ Facebook Messenger: Decoding supported for multiple users of a single device. ◼ 569 updated application versions. FUNCTIONALITY ◼ Pinpoint your subjects’ locations with more accuracy. ◼ Organize and review case evidence with enhanced To fully utilize the large volume of locations data available in a searching, filtering and grouping capabilities. mobile device, UFED Physical Analyzer 5.4 allows you to convert ◼ Analyze more data in Timeline view quicker. the BSSID values (wireless networks) and cell towers into location ◼ Identify critical case information up to 50% faster.
    [Show full text]
  • Discovering and Analyzing Unlisted Chrome Extensions
    Wild Extensions: Discovering and Analyzing Unlisted Chrome Extensions Aidan Beggs and Alexandros Kapravelos North Carolina State University fawbeggs,[email protected] Abstract. With browsers being a ubiquitous, if not required, method to access the web, they represent a unique and universal threat vec- tor. Browsers can run third-party extensions virtually invisibly in the background after a quick install. In this paper, we explore the abuse of browser extensions that achieve installations via suspicious methods. We scan the web for links to extension installations by performing a web crawling of the Alexa top 10,000 websites with recursive sub-page depth of 4 and leverage other tools to search for artifacts in the source code of webpages. We discover pages that have links to both listed and un- listed extensions, many times pointing to multiple different extensions that share the same name. Using this data, we were able to find 1,097 unlisted browser extensions ranging from internal directory lookup tools to hidden Google Docs extensions that pose a serious threat to their 127 million users. Keywords: browser extensions · JavaScript · browser security 1 Introduction Although they run largely in the background, extensions can be quite useful to the end user. Performing everything from letting users manage their email, to helping people manage their banking and crypto accounts, to blocking inva- sive ads (one of their most popular uses), extensions can ease the web browsing experience for many users. Upon installation, extensions will request the user for various permissions [9], however, many users have been conditioned to click "accept" without careful analysis of the permissions they are granting [10].
    [Show full text]
  • Ringcentral for Google Chrome Extension User Guide Introduction 6
    RingCentral for Google Chrome Extension User Guide RingCentral for Google Chrome Extension | User Guide | Contents | 2 C ontents Introduction ................................ ............................... 4 About RingCentral for Google Chrome Extension ................................ ................... 5 About this Guide ...................................................................... 5 Basics ............................................................................. 5 Installation ................................................................. 7 Verify Installation ............................................................ 8 Login ..................................................................... 9 Minimize and Close Button .................................................... 10 Options .................................................................. 11 Settings .................................................................. 12 Calling ................................................................... 13 Region .................................................................. 14 Status ................................................................... 15 Click to Dial/SMS ........................................................... 15 Authorize ................................................................. 16 Feedback ................................................................. 16 EULA and Version ........................................................... 16 Logout ..................................................................
    [Show full text]
  • Giant List of Web Browsers
    Giant List of Web Browsers The majority of the world uses a default or big tech browsers but there are many alternatives out there which may be a better choice. Take a look through our list & see if there is something you like the look of. All links open in new windows. Caveat emptor old friend & happy surfing. 1. 32bit https://www.electrasoft.com/32bw.htm 2. 360 Security https://browser.360.cn/se/en.html 3. Avant http://www.avantbrowser.com 4. Avast/SafeZone https://www.avast.com/en-us/secure-browser 5. Basilisk https://www.basilisk-browser.org 6. Bento https://bentobrowser.com 7. Bitty http://www.bitty.com 8. Blisk https://blisk.io 9. Brave https://brave.com 10. BriskBard https://www.briskbard.com 11. Chrome https://www.google.com/chrome 12. Chromium https://www.chromium.org/Home 13. Citrio http://citrio.com 14. Cliqz https://cliqz.com 15. C?c C?c https://coccoc.com 16. Comodo IceDragon https://www.comodo.com/home/browsers-toolbars/icedragon-browser.php 17. Comodo Dragon https://www.comodo.com/home/browsers-toolbars/browser.php 18. Coowon http://coowon.com 19. Crusta https://sourceforge.net/projects/crustabrowser 20. Dillo https://www.dillo.org 21. Dolphin http://dolphin.com 22. Dooble https://textbrowser.github.io/dooble 23. Edge https://www.microsoft.com/en-us/windows/microsoft-edge 24. ELinks http://elinks.or.cz 25. Epic https://www.epicbrowser.com 26. Epiphany https://projects-old.gnome.org/epiphany 27. Falkon https://www.falkon.org 28. Firefox https://www.mozilla.org/en-US/firefox/new 29.
    [Show full text]
  • BOARD of EDUCATION GLENBROOK HIGH SCHOOLS April 13, 2020 REGULAR BOARD MEETING - 7:00 P.M
    BOARD OF EDUCATION GLENBROOK HIGH SCHOOLS April 13, 2020 REGULAR BOARD MEETING - 7:00 p.m. Location: Glenbrook District Office Public Meeting Room 100A ​ 3801 W. Lake Avenue, Glenview, IL 60026* * This meeting will be conducted telemetrically using the Zoom webinar platform pursuant to Executive Order in Response to COVID-19 No. 5 ​ View Instructions on How to Join the Zoom Webinar AGENDA 1. (7:00) Call to Order – Roll Call 2. (7:02) Approval of the Agenda for this Meeting 3. (7:03) Recognition of Community Visitors Anyone who would like to address the Committee may do so by calling (847) 486-4728 and leaving up to a three-minute voicemail message. Comments should be related to topics on the board agenda. Messages must be left by 3:00 PM on the day of the meeting. Please leave your name and address on the message so that the administration may be able to follow up if necessary. Messages will be subsequently reviewed to ensure they are appropriate for a public presentation (e.g., no profanity), and then played aloud during the public comment period on the agenda. 4. (7:08) Board and Superintendent Reports 5. (7:15) Approval of Consent Agenda Items: A. Appointments a. Certified b. Support Staff B. Resignations/Terminations a. Certified b. Support Staff C. FOIA D. Approval of Accounts Payable Bills E. Approval of Payroll Disbursements F. Approval of Revolving Fund Reimbursement G. Minutes a. March 16, 2020, Special Board Meeting b. March 16, 2020, Special Closed Board Meeting c. March 16, 2020, Regular Board Meeting d.
    [Show full text]
  • How to Install and Run Microsoft Office on a Chromebook
    How to install and run Microsoft Office on a Chromebook To use Office on your Chromebook, install the Office mobile apps through the Google Play Store. If your Chromebook uses the Chrome Web Store instead, you can install Office Online to create, edit, and collaborate on your Office files in your browser. Notes: To find out which Chromebooks support the Office mobile apps from the Google Play Store, see Chrome OS Systems Supporting Android App. You can’t install the Windows or Mac desktop versions of Office 365 or Office 2016 on a Chromebook. How to install Office apps on a Chromebook: 1. Open the Google Play Store and search for the apps you want to install. Or you can click on any of these links to download a specific app: Microsoft Outlook, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, OneNote, Office Lens, or Skype for Business. 2. Click Install. 3. Once your app(s) are installed, click the Launcher on your Chromebook and click on the app to open it. 4. Sign in with your personal Microsoft Account or your account associated with your Office 365 subscription. See Install and set up Office on an Android for details on how to sign in to Office on Android. Note: You can view files and do basic editing in the Office mobile apps if you're signed in with your Microsoft Account (it's free and you can use an existing email). If you have an Office 365 subscription, you can sign into the app with the account associated with your subscription to use more advanced editing features with Office 365.
    [Show full text]