No. what it should do is act like android plugins and pop a security warning if any permission level changes between updates, or if it modifies settings.
Disabling auto update may add more problems if the app has bugs that can be exploited. I'd rather have Chrome disable the plugin if permissions change instead of removing auto update altogether.
On another note. why is this all of a sudden news now? I've been seeing all of these Virus ads and plugins posts on slashdot this week and I've been seeing this stuff going in chrome for Months now. Hell 60-70% of my service calls are from this stuff.
Hell, I had two Chromebooks come in infected and you can't just remove the extension on a chromebook. You basicially have to log into google using Chrome on a windows PC, Infect that chrome, disinfect it using ADWCleaner or JRT to remove the extension enough in chrome so it deletes the plugin in your cloud settings, and reset the Chromebook to factory (otherwise it comes back). So much for "Chromebooks don't get viruses", although Google now has a browser reset button (The two chromebooks were infected before this feature was added in the WIndows builds) so that might make it easier to remove. I sure hope so for Chromebook's sake.
Google. You Seriously need to start monitoring and cracking down on this stuff ASAP. And start paying attention to your damn Google ads! I'm sick of people installing buldleware virii everytime they search for any of the following:
Google Chrome (Thats right! They're hijacking your OWN BROWSER'S ADS ON YOUR OWN SEARCH ENGINE!)
Windows Media Player
VLC Media Player
ETC. (I can literally go on forever with this list. Just as a rule of thumb, if it's a popular software download, it's most likely been install hijacked by a Virus Inc.)
Anytime anyone uses adwords to get listed on a legitimate app, and it doesn't go to the Legitimate program's website, I want a big red light to start blinking with 150DB Sirens going off and a Evil Sounding voice that says WARNING!! ADWORDS HIJACK DETECTED!! going down somewhere in your security dept so your security team scours their ad submission in fear of the big red light of screaming Terror going off. And they better damn well ban that entire domain and any subdomains from ALL ADS FOR LIFE! Either Get Tough and declare war on spam and virus pushers or get steamrolled!
The same goes for you too MS. Fix Bing! See what Google is doing? You're doing the exact same thing and need the exact same remidies! Hell! Slahdot? Want a Bash MS Story for your front page? There's malicious apps in the Windows 8 Store! Just open up the store, search for "getdesktopapp" and see the Virus and Adware crap MS's Own Store is infecting people with! Now get on bashing M$ like you love to do. Chop Chop!
And as for Antivirus firms. (And frankly, I don't care who you are. You ALL suck when it comes to this) Wake The F Up! You detect Gator, A 10 year old adware/spyware mess as a virus, but Conduit SearchProtect is totally legitimate and in no way is a threat to computer users even though it does thins that are 10 times worse than anything Claria did? BS! Wake Up, Grow a Pair and start doing your damn job! It's a shame that the only people that detect these things is the people behind ADWCleaner and the Junkware Removal Tool (thanks BTW for making these two tools since noone else detects adware anymore). Adware is a VIrus now. Bundleware is a Virus. Start detecting and removing this crap as malware like you should! It's real easy to find out what to detect. If you install a wanted program (like Adobe reader), and it installs Something the person didn't want (like Ask Toolbar, or whatever garbageware of the day adobe gets paid to infect PC's with) It's malicious and should be flagged as such. I don't care if it's got a Checkmark to not install or who the hell is pushing the junkware or who the junkware creator is. the practice is bad and needs to die.