Microsoft Says Google Chrome Frame Makes IE Less Secure

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

Well they would say that wouldn't they

[Chrisq]

What do you expect; "This is great now our customers can access standards-compliant sites and have a faster, smoother web experience"?

Re:Security issues with Google Chrome?

[ByOhTek]

Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).

While this is still better than the track record on many MS products, it still leads me to suspect the security of Google. Face it, they are good at distributing information, not hiding it... Now, unless *EVERY* Google security hole is already in IE, new holes will be added.

Re:Security issues with Google Chrome?

[Anonymous Coward]

Citation please.

http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php [readwriteweb.com]

http://news.cnet.com/8301-1009_3-10226578-83.html [cnet.com]

Re:What about Flash?

[PIBM]

Nop, the multiplier would be much bigger than double.

Re:kettle/black

[Anonymous Coward]

Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.

Great, that happened *ten* years ago [wikipedia.org]. What has happened since? They've been chasing the Fox for past *five* years.

Great, except I was responding to somebody who claimed that Microsoft hadn't made a DECENT browser in THIRTEEN years. 6 was fine when it came out, if nothing special, but 5, 7, and 8 have all had some pretty good features. Features that would make me drop AdBlock Plus? Hell no! But saying they can't make a 'decent' browser is just flamebait.

Re:kettle/black

[djnforce9]

@Post #29527707:

"That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )"

Somebody already did create ad blocking software for IE but unfortunately it's not freeware and won't work with Adblock plus subscriptions (at least it didn't when I last tried it).

The name of the addon is called Adblock Pro.

Re:Of course

[Anonymous Coward]

Whooooosh!

Re:kettle/black

[Anonymous Coward]

Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features...

And even more impressive bloat, *especially* with regards to screen real estate, even with all the bars disabled. It's as if IE is parodying itself. [j-walkblog.com] Ever try using IE8 on a netbook? It doesn't work, you have to enter kiosk mode for it to be remotely useful. There's no thought to form or function, they just barfed menus all over the place and called it "progress".

Re:Double Standards

[gabebear]

They not only add the .Net plugin to Firefox without asking you, they change the useragent string for Firefox... oh and the .Net plugin doesn't have a built-in uninstaller like every other plugin.

I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html [washingtonpost.com]

Re:kettle/black

[Kagetsuki]

IE 5 was great, but MS making IE5 great and taking the market lead seems to have given them the idea that they could implement their own features all on their own and make everyone conform to their standards, which they are still doing now. The thing is the way Internet explorer implemented a lot of features gave a lot of things that just couldn't be easily done or done at all until HTML5 was actually adopted. The problem there is that HTML 5 took forever. Evolution of the web by its own standards committee has been gruelingly slow and the massive amount of garbage that has come out in-between and the amount of junk included in HTML 5 itself is astounding. Even if you could say some new features submitted are great there is just so much overlapping of features it's hard to tell what is the best way to do anything now. Do you write a site with canvas and hope people using IE will install chrome frame? Do you write two versions of the same site, one using "standard" HTML 5/XML Namespaces/SVG/Canvas and one using whatever Microsoft developed 5 years ago to achieve the same thing but in the Microsoft way? Speaking of SVG, the Adobe SVG plugin for IE can't read modern SVG files and the google SVG to flash translator breaks if you use any other new web technology with it (xlink for example). And don't even get me started on how terrible Flash is, it's just depressing. Java web launch? Has anybody even heard of it? How many general PC users even have the Java plug-in properly installed (I'm betting 3 year old can count that high)? The internet sucks and it sucks in two different directions: the "anything goes and we'll do whatever we want Microsoft direction" and the "we'll do everything you want but we'll fight about how to do it for 5 years, then never actually call the standard finalized so we can just arbitrarily change it and if any browser developers complain we'll just tell them they shouldn't have implemented it if it wasn't finalized" W3C/Gecko/Webkit/Opera direction.

Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....

Re:kettle/black

[plague3106]

Even if that person is Bree Olson?

Re:Security issues with Google Chrome?

[Ephemeriis]

Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).

Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.

It can be as simple as using https://mail.google.com/ [google.com]

There's even a handy little checkbox in the Gmail options to always use HTTPS.

Re:Well yes

[Anonymous Coward]

For IE that's true - plugins run in the sandbox.

For Chrome (the full browser) it's not - in Chrome, plugins run out of the sandbox (their sandbox is only for the renderer).

I believe the issue here is that the Google Chrome plugin bypasses IE's anti-malware filter (SmartScreen) and the IE phishing filter, both of which have been shown to be better than Google's equivalent (there are numerous reports that show this, the most recent from NSS).

That's why MSFT is complaining about the chrome plugin decreasing the security of IE users.

Re:kettle/black Re:AdBock for chrome / IE

[Anonymous Coward]

You should check out Privoxy [privoxy.org] as an AdBlock replacement, it runs as a daemon / service, so it'll work with _any_ browser you use.

Re:Actually MS is right.

[RareButSeriousSideEf]

+1.

I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.

Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/ [chromeplugins.org].

Re:Well yes

[cbhacking]

Depends on implementation (for some time, Flash installed an exemption for itself that let it use a broker process to get out of Protected Mode without letting the user know) but by default, yes, IE plugins have the same sandboxing as the browser itself.

Re:Friends?

[vtcodger]

There are standards for HTML? Who knew?

FWIW, as of this morning, the W3C Validator [http://validator.w3.org] reports

www.google.com ------------ 39 Errors, 2 warning(s)
www.microsoft.com -------- 300 Errors, 31 warning(s)
www.apple.com -------------- 6 Errors, 1 warning(s)
www.bing.com -------------- 12 Errors
http://validator.w3.org/ [w3.org] ------ Sorry! This document can not be checked
www.slashdot.org ---------- 64 Errors, 2 warning(s)

And don't those web page designers who are "dancing for joy" deserve a bit of credit for this shambles? I'd like to believe that they won't immediately start using features that work in chrome, but not IE because "all the user has to do is download a plugin." But if past experience is any guide, that is exactly what many of them will do.

Re:Security issues with Google Chrome?

[SanityInAnarchy]

And one which can be applied domain-wide, if you've got apps for your domain.

Re:I agree

[kimvette]

crossover office will run MS office, the Adobe creative suite, and so forth very, very well. I no longer use MS Office at all, but I do use Photoshop and Illustrator on occasion, and I use esword on Linux all the time. The only things I cannot run that I need on Linux are embroidery applications (need "real" USB support for the machine) and I cannot run some games. At the office I can't run Quickbooks on Linux.

Many proprietary commercial apps DO run on Linux through WINE or one of the commercial variants.

Re:Friends?

[ajs]

For www.google.com the validator says:

Using experimental feature: HTML5 Conformance Checker.

I think it's kind of unfair to cite statistics without being clear about the limitations of the tools used.