Microsoft Says Google Chrome Frame Makes IE Less Secure 459
Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
Well they would say that wouldn't they (Score:5, Informative)
Re:Security issues with Google Chrome? (Score:3, Informative)
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
While this is still better than the track record on many MS products, it still leads me to suspect the security of Google. Face it, they are good at distributing information, not hiding it... Now, unless *EVERY* Google security hole is already in IE, new holes will be added.
Re:Security issues with Google Chrome? (Score:5, Informative)
Citation please.
http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php [readwriteweb.com]
http://news.cnet.com/8301-1009_3-10226578-83.html [cnet.com]
Re:What about Flash? (Score:2, Informative)
Nop, the multiplier would be much bigger than double.
Re:kettle/black (Score:2, Informative)
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
Great, that happened *ten* years ago [wikipedia.org]. What has happened since? They've been chasing the Fox for past *five* years.
Great, except I was responding to somebody who claimed that Microsoft hadn't made a DECENT browser in THIRTEEN years. 6 was fine when it came out, if nothing special, but 5, 7, and 8 have all had some pretty good features. Features that would make me drop AdBlock Plus? Hell no! But saying they can't make a 'decent' browser is just flamebait.
Re:kettle/black (Score:1, Informative)
@Post #29527707:
"That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )"
Somebody already did create ad blocking software for IE but unfortunately it's not freeware and won't work with Adblock plus subscriptions (at least it didn't when I last tried it).
The name of the addon is called Adblock Pro.
Re:Of course (Score:1, Informative)
Whooooosh!
Re:kettle/black (Score:3, Informative)
Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features...
And even more impressive bloat, *especially* with regards to screen real estate, even with all the bars disabled. It's as if IE is parodying itself. [j-walkblog.com] Ever try using IE8 on a netbook? It doesn't work, you have to enter kiosk mode for it to be remotely useful. There's no thought to form or function, they just barfed menus all over the place and called it "progress".
Re:Double Standards (Score:5, Informative)
I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html [washingtonpost.com]
Re:kettle/black (Score:5, Informative)
Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....
Re:kettle/black (Score:2, Informative)
Even if that person is Bree Olson?
Re:Security issues with Google Chrome? (Score:3, Informative)
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
It can be as simple as using https://mail.google.com/ [google.com]
There's even a handy little checkbox in the Gmail options to always use HTTPS.
Re:Well yes (Score:2, Informative)
For IE that's true - plugins run in the sandbox.
For Chrome (the full browser) it's not - in Chrome, plugins run out of the sandbox (their sandbox is only for the renderer).
I believe the issue here is that the Google Chrome plugin bypasses IE's anti-malware filter (SmartScreen) and the IE phishing filter, both of which have been shown to be better than Google's equivalent (there are numerous reports that show this, the most recent from NSS).
That's why MSFT is complaining about the chrome plugin decreasing the security of IE users.
Re:kettle/black Re:AdBock for chrome / IE (Score:2, Informative)
You should check out Privoxy [privoxy.org] as an AdBlock replacement, it runs as a daemon / service, so it'll work with _any_ browser you use.
Re:Actually MS is right. (Score:5, Informative)
+1.
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/ [chromeplugins.org].
Re:Well yes (Score:3, Informative)
Depends on implementation (for some time, Flash installed an exemption for itself that let it use a broker process to get out of Protected Mode without letting the user know) but by default, yes, IE plugins have the same sandboxing as the browser itself.
Re:Friends? (Score:4, Informative)
There are standards for HTML? Who knew?
FWIW, as of this morning, the W3C Validator [http://validator.w3.org] reports
www.google.com ------------ 39 Errors, 2 warning(s)
www.microsoft.com -------- 300 Errors, 31 warning(s)
www.apple.com -------------- 6 Errors, 1 warning(s)
www.bing.com -------------- 12 Errors
http://validator.w3.org/ [w3.org] ------ Sorry! This document can not be checked
www.slashdot.org ---------- 64 Errors, 2 warning(s)
And don't those web page designers who are "dancing for joy" deserve a bit of credit for this shambles? I'd like to believe that they won't immediately start using features that work in chrome, but not IE because "all the user has to do is download a plugin." But if past experience is any guide, that is exactly what many of them will do.
Re:Security issues with Google Chrome? (Score:3, Informative)
And one which can be applied domain-wide, if you've got apps for your domain.
Re:I agree (Score:3, Informative)
crossover office will run MS office, the Adobe creative suite, and so forth very, very well. I no longer use MS Office at all, but I do use Photoshop and Illustrator on occasion, and I use esword on Linux all the time. The only things I cannot run that I need on Linux are embroidery applications (need "real" USB support for the machine) and I cannot run some games. At the office I can't run Quickbooks on Linux.
Many proprietary commercial apps DO run on Linux through WINE or one of the commercial variants.
Re:Friends? (Score:3, Informative)
For www.google.com the validator says:
I think it's kind of unfair to cite statistics without being clear about the limitations of the tools used.