Microsoft Says Google Chrome Frame Makes IE Less Secure 459
Posted
by
CmdrTaco
from the less-secure-than-what-exactly dept.
from the less-secure-than-what-exactly dept.
Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
Security issues with Google Chrome? (Score:4, Insightful)
Dear Microsoft:
Citation please. Evidence. Facts. Or retract.
'k thanks,
Google
I agree (Score:5, Insightful)
. . . which is why one should run Firefox, konqueror, Mozilla, or Opera on Linux, Solaris, or BSD instead.
Re:kettle/black (Score:5, Insightful)
I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?
Of course (Score:5, Insightful)
In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.
Thanks (Score:5, Insightful)
You just made one of the most important arguments against Silverlight official.
Re:Security issues with Google Chrome? (Score:0, Insightful)
Double Standards (Score:5, Insightful)
So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.
Re:Security issues with Google Chrome? (Score:5, Insightful)
Re:Textbook FUD (Score:3, Insightful)
Re:kettle/black (Score:3, Insightful)
Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features, albeit they're still behind in standards. And "accelerators" are extremely useful.
That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )
By that logic... (Score:3, Insightful)
Re:Security issues with Google Chrome? (Score:3, Insightful)
Humor: (Noun)
1. a comic, absurd, or incongruous quality causing amusement: the humor of a situation.
2. the faculty of perceiving what is amusing or comical: He is completely without humor. (Something you seem to lack yourself...)
Re:Of course (Score:3, Insightful)
Attack surface not attack rate..
What about Flash? (Score:2, Insightful)
".... has doubled the attack area for malware and malicious scripts."
Can't the same thing be said about the Flash Player Plugin?
Oh please (Score:2, Insightful)
Re:Textbook FUD (Score:5, Insightful)
I'm happy to believe that IE8 actually has a good security model.
And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?
Re:kettle/black (Score:5, Insightful)
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
Great, that happened *ten* years ago [wikipedia.org]. What has happened since? They've been chasing the Fox for past *five* years.
Re:kettle/black (Score:2, Insightful)
Dimitri martin's standup doesn't transfer well to text ;)
Re:Well they would say that wouldn't they (Score:5, Insightful)
Sounds to me that Microsoft... (Score:5, Insightful)
So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?
Re:Security issues with Google Chrome? (Score:3, Insightful)
Re:Security issues with Google Chrome? (Score:5, Insightful)
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
So yes, microsoft is right, but rather missing the point... If you're using a chrome frame, you're probably not using IE frames, which means that you're as secure as WebKit's security flaws.
Why you'd do that rather than just using chrome I have no idea though.
Re:Well they would say that wouldn't they (Score:2, Insightful)
"Microsoft releases new critical IE patch that accidentally disables the Chrome Frame"
Re:Security issues with Google Chrome? (Score:3, Insightful)
Given that this is IE6, I think any talk about security is somewhat moot. Unless I don't understand it, this should make IE6 more secure - Chrome after all is a "modern" browser, and the page will be run inside that, and not actually touch the rest of IE6's feature set. I really don't see this at all, it strikes me that this is FUD. Maybe I'm missing the point here.
Anyway, if users actually cared about security they'd not be running IE6 - even Microsoft see the upgrade from that as "critical".
Re:Security issues with Google Chrome? (Score:5, Insightful)
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
It can be as simple as using https://mail.google.com/
Re:Security issues with Google Chrome? (Score:3, Insightful)
Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
Your premise is wrong, hence your argument is wrong. All those goof-ups were not with the gmail you use, or the google docs you use. They were with contractual installations in colleges, etc. It's really like saying "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
Re:Security issues with Google Chrome? (Score:1, Insightful)
Re:Well yes (Score:5, Insightful)
What about Silverlight? (Score:2, Insightful)
applying the same crazy MS thoughts, then Silverlight make IE less secure
Friends and family (Score:4, Insightful)
Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!
Actually MS is right. (Score:5, Insightful)
By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.
Re:kettle/black (Score:5, Insightful)
Microsoft Says Google Chrome Frame Makes IE Less Secure
Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:
Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.
as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here [slashdot.org], and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy. [wikipedia.org]
Re:kettle/black (Score:2, Insightful)
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't....
Yes I do, it was crap even then, compare its CSS support to Mozilla 5 (Netscape 6):
http://www.richinstyle.com/bugs/table.html [richinstyle.com]
IE has always been a pain, it was just less bad than Netscape 4 for a while.
Re:kettle/black (Score:5, Insightful)
you're one of the rarest groups of all the fish in the pond, so to speak, per-se.
Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.
Re:IE Lightyears ahead (Score:1, Insightful)
Which browser is more capable in some abstract sence matters little, what is important is what browser does what I want it to do ( for lazy site developers that means let me use the most features while having everyone able to view the site, for users it means which browser works with most of the web, and is integrated into my desktop OS as well making it fast to load ) And since people's machines were smaller back then most people just didn't have the ram to waste on having two browsers preloaded into ram all the time so they would both load fast IE did much of the work of the windows gui which actually makes sense. ) For that advantage, the browsing capabilities of IE could be quite inferior before using another browser on windows was justifiable. Many of us (like me) did it anyway, but most didn't have a stake in the browser wars, or understand that the only reason IE worked at all was that there was an alternative. A monopoly will always produce a steaming pile of crap because monopolies are allowed to. Monopolies always underproduce and overcharge. Competition means quality is necessary, and that it won't cost too much. Of course Microsoft is capable of producing good stuff, but not if it doesn't have to.
Spending what could be shareholder profits on quality requires justification by the threat of losing customers.
Re:Security issues with Google Chrome? (Score:3, Insightful)
"Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
...but...we do say that around here...
Re:kettle/black (Score:4, Insightful)
And where are these supposed vulnerabilities, anyway? If Microsoft wanted IE to be secure they'd abandon hActive-X and drop j-script in favor of javascript.
I don't know why anyone but the ignorant would run IE. It (and all of Microsoft's offerings) have always been less secure than just about everyone else's.
Re:kettle/black (Score:2, Insightful)
Re:Textbook FUD (Score:3, Insightful)
You can't add security, you can only add insecurity. A system is as secure as the weakest point of entry.
That having been said, all plug-ins reduce security, including Flash and Silverlight, this is no different.
Re:kettle/black (Score:5, Insightful)
Re:Security issues with Google Chrome? (Score:5, Insightful)
Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.
Mistaken market. (Score:4, Insightful)
Google is not in the business of providing searches. Google is in the business of selling ads. It just happens that having the best search gives you more eyeballs on your ads. They leverage that advantage to gain share in other markets. It does sound like another company I've heard about.
But you're on target here, this is obviously not comfortable for Microsoft. Five years ago they wouldn't have even bothered to issue a response. This is the kind of press release that is pure fear.
Someone has made a plug-in for your browser that makes it 8X faster.
It's something I said a long long long time ago. What can kill Microsoft? Something free.
Re:Security issues with Google Chrome? (Score:1, Insightful)
I suggest reading about Protected Mode as you are clearly ignorant of the API.
The security features of the operating system are important, but even they provide significantly more functionality to a web browser than it should have. As a user you can establish an HTTP connection to a URL, download a binary, save it to a location in your profile, set it as executable and modify your login scripts to execute that binary. You might not be able to take root of the system, but you already own enough of it to perform nefarious tasks. Obviously the browser tries to prevent this from happening by simply not allowing such functionality through the implementation of ECMAScript, but that can't stop a plug-in from running rampant.
In Internet Explorer 7.0/8.0 running on Windows Vista, Windows Server 2008 or Windows 7.0 with User Account Control enabled has access to the Protected Mode API which allows for the process to declare a constrained execution context in which to run. This prevents the browser from performing any actions above that constrained context, even if the current user has permissions to carry out that task. In order to carry out individual specific tasks above that permission level the application works through a defined security broker to negotiate those actions. When you are downloading a file Internet Explorer asks the security broker to prompt you where you wish to save that file and the security broker allows Internet Explorer to write only to that file handle. The same is true when the browser wishes to read or write cached content, or even access the clipboard.
All code running with the browser is confined within the same constrained token. If the browser itself is exploited through a vulnerability either in the browser itself or a plug-in that exploit is confined within the sandbox. On several occasions this has already mitigated actively exploited vulnerabilities from damaging machines. For example, shortly after Vista was released a vulnerability was discovered in how Windows parses animated cursor media files which allowed the execution of arbitrary code. On Windows XP and Windows Server 2003 this vulnerability allowed malicious code to execute within the context of the current user. On Windows Vista, by default, the exploit would still be successful in the sense that the arbitrary code would execute, however that code was severely constrained and unable to modify any part of the file system, even the profile of the current user. Such functionality mitigates much of the damage that is possible through a successful exploit, root or not.
In the case of plug-ins they are normally sandboxed along with the browser. However, if the plug-in is installed with administrative access (which requires permissions through User Account Control) that installer may provide its own security broker which allows the plug-in to interact at a higher security level. This was true with Adobe Flash shortly after Vista was released. In those cases exploits would still be largely mitigated, but the attack surface of the security broker itself has increased and if a local escalation vulnerability can be identified then a successful browser exploit can subsequently exploit that vulnerability to obtain current user privileges.
No other browser on any other platform goes to such lengths to constrain and mitigate successful exploits within the browser, especially by default. As much fun as it is to rag on Microsoft, this is one area in which they are significantly ahead of the competition.
Re:kettle/black (Score:1, Insightful)
Re:Security issues with Google Chrome? (Score:3, Insightful)
Dear Microsoft,
ActiveX.
I told you back in the 90's it was a bad idea. So did the rest of us. But did you listen... No.
Re:Security issues with Google Chrome? (Score:3, Insightful)
It's really like saying "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
Err... what's wrong with saying that? If MS Exchange is hacked because of a vulnerability in Exchange, then there's nothing wrong with saying that MS's security sucks. Likewise, if Google's service shares your emails with more people than you had in mind (whether or not it's a vulnerability with the public gmail or their private email service--and there have been problems with both), then what's wrong with saying Google's security sucks? Nothing, unless there's some sort of double-standard your are trying to promote.
The only discussion down this avenue that is worth discussing is concerning the overall security provided by both MS and Google, relative to each other. Personally, I would wager that Google probably trumps MS in several security categories, but I haven't looked at any research, therefore this assertion is based mostly on my own observations and biases.
Re:kettle/black (Score:1, Insightful)
Dunno about you, but if I thought I was unhappy, I'd be pretty certain it was true.
Re:kettle/black (Score:2, Insightful)
Server-side language choice isn't at all a browser issue. Also, Mr. AC, other than microsoft's own PR, can you cite any security problems here? Sure, they're introducing a new rendering engine that will undoubtedly have its own security problems, but they don't combine with IE's rendering engine's problem since only one of them is being used at a time.
Re:Actually MS is right. (Score:3, Insightful)
I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org] [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing.
... and the fact that this happened while you were using Chrome's "incognito mode" is a good indication of the types of sites that you were visiting when this happened.
Look - wearing a bullet-proof vest does offer a degree of protection greater than normal clothing, but that doesn't mean that you should be walking around the red-light district of Oakland, CA after dark. You can still get knifed, kidnapped, or shot in the head. It also won't protect you from the impact of hitting the ground after jumping out of an airplane without a parachute.
No tool is invulnerable, and no tool will protect you from risky behavior.
Re:kettle/black (Score:3, Insightful)
Actually... no.
1 - IE's renderer has holes.
2 - Chrome's renderer has (I believe) fewer holes (because it is not as tied to the OS).
3 - Only 1 renderer will be used to render a malicious page.
If 2 and 3 are true, then it follows that when Chrome's renderer is used, the browser is actually more secure.
Of course this is highly dependent upon the level of communication between the browser and the renderer. I suspect that it is very minimal ( button clicks, bookmarks, etc.) as tight integration would be unnecessary, costly, and more difficult to maintain.
I think I will take the stance that using the chrome renderer on the IE browser will make a more secure online experience... and I will tell people such until someone can convince me that I am wrong. Microsoft's argument is like saying that Windows and McAfee AntiVirus make a system less secure than Windows by itself because McAffee increases the attack area, which it technically does.
Re:Sounds to me that Microsoft... (Score:3, Insightful)
Yes... because Microsoft makes piles of money off of Internet Explorer.
In the low billions of dollars, at least. I know plenty of corporate types who are locked into Windows solely because of internal web apps that are hardcoded against IE6 or older. Unsurprisingly, IT doesn't want to pay for a beefier desktop machine for them to run their OS of choice plus a licensed copy of Windows in a VM just so they can access a certain site plus having to support twice the software for each person using such a system.