Plug-ins can open vulnerabilities in even relatively secure browsers like Chrome. Even coders, like Jeff Atwood, can fall victim. Here's how to reign in plug-ins like Java, or disable them entirely, in Google Chrome.
At question-and-answer site Super User, Atwood explains how a Java plug-in left him vulnerable to fake antivirus software installing without permission—even after he tried to shut down an installation request. Users pointed out Chrome's ability to either set plug-ins as "click to play", or having certain plug-ins disabled entirely.
First off, enter about:flags into Chrome's address bar, then look for the option for "Click to play." Click the link below it to enable the feature. You'll need to click the "Restart now" button at the bottom of this page before moving forward. So, go ahead, and your tabs should come back, too.
Back? Hit the wrench button in your Chrome toolbar, click Options, then head to the Under the Hood section. Click the Content settings button, move over to Plug-ins, and set the "When I encounter plug-ins ..." option to "Click to play." Now you'll need to expressly click on a Java-powered section of a web site to allow Java to do anything on a page.
Super User has other sound suggestions on what one can do to minimise or eliminate plug-in vulnerabilities, like disabling Java entirely (done from the chrome://plugins page), or installing a 64-bit plug-in that your system doesn't actually know is available. What have you seen as a proper level of security when it comes to browser plug-ins?
Disable Java Plugin in Google Chrome? [Super User]